From 2b5aef75f1e627293b1f7c72ae95c99208f97d9c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?= Date: Fri, 22 Dec 2023 19:43:27 +0100 Subject: [PATCH] feat: add cleanup policies v2 (#9261) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * feat: add cleanup policies v2 Signed-off-by: Charles-Edouard Brétéché * fix test Signed-off-by: Charles-Edouard Brétéché * fix: test Signed-off-by: Charles-Edouard Brétéché --------- Signed-off-by: Charles-Edouard Brétéché --- api/kyverno/v2/cleanup_policy_test.go | 712 +++++ api/kyverno/v2/cleanup_policy_types.go | 293 ++ api/kyverno/v2/condition.go | 94 + api/kyverno/v2/match_resources_test.go | 68 + api/kyverno/v2/match_resources_types.go | 80 + api/kyverno/v2/zz_generated.deepcopy.go | 269 ++ api/kyverno/v2/zz_generated.register.go | 4 + .../kyverno/charts/crds/templates/crds.yaml | 2482 +++++++++++++++++ config/crds/kyverno.io_cleanuppolicies.yaml | 1241 +++++++++ .../kyverno.io_clustercleanuppolicies.yaml | 1241 +++++++++ config/install-latest-testing.yaml | 2482 +++++++++++++++++ docs/user/crd/index.html | 627 +++++ .../kyverno/v2/anyallconditions.go | 58 + .../kyverno/v2/cleanuppolicy.go | 219 ++ .../kyverno/v2/cleanuppolicyspec.go | 84 + .../kyverno/v2/cleanuppolicystatus.go | 54 + .../kyverno/v2/clustercleanuppolicy.go | 218 ++ .../kyverno/v2/condition.go | 71 + .../kyverno/v2/matchresources.go | 52 + pkg/client/applyconfigurations/utils.go | 14 + .../typed/kyverno/v2/cleanuppolicy.go | 195 ++ .../typed/kyverno/v2/clustercleanuppolicy.go | 184 ++ .../kyverno/v2/fake/fake_cleanuppolicy.go | 141 + .../v2/fake/fake_clustercleanuppolicy.go | 132 + .../kyverno/v2/fake/fake_kyverno_client.go | 8 + .../typed/kyverno/v2/generated_expansion.go | 4 + .../typed/kyverno/v2/kyverno_client.go | 10 + .../informers/externalversions/generic.go | 4 + .../kyverno/v2/cleanuppolicy.go | 90 + .../kyverno/v2/clustercleanuppolicy.go | 89 + .../externalversions/kyverno/v2/interface.go | 14 + .../listers/kyverno/v2/cleanuppolicy.go | 99 + .../kyverno/v2/clustercleanuppolicy.go | 68 + .../listers/kyverno/v2/expansion_generated.go | 12 + .../cleanuppolicies/resource.generated.go | 373 +++ .../kyverno/kyvernov2/client.generated.go | 22 + .../resource.generated.go | 373 +++ .../target-namespace-scope/policy-pass-3.yaml | 2 +- 38 files changed, 12182 insertions(+), 1 deletion(-) create mode 100644 api/kyverno/v2/cleanup_policy_test.go create mode 100644 api/kyverno/v2/cleanup_policy_types.go create mode 100644 api/kyverno/v2/condition.go create mode 100644 api/kyverno/v2/match_resources_test.go create mode 100644 api/kyverno/v2/match_resources_types.go create mode 100644 pkg/client/applyconfigurations/kyverno/v2/anyallconditions.go create mode 100644 pkg/client/applyconfigurations/kyverno/v2/cleanuppolicy.go create mode 100644 pkg/client/applyconfigurations/kyverno/v2/cleanuppolicyspec.go create mode 100644 pkg/client/applyconfigurations/kyverno/v2/cleanuppolicystatus.go create mode 100644 pkg/client/applyconfigurations/kyverno/v2/clustercleanuppolicy.go create mode 100644 pkg/client/applyconfigurations/kyverno/v2/condition.go create mode 100644 pkg/client/applyconfigurations/kyverno/v2/matchresources.go create mode 100644 pkg/client/clientset/versioned/typed/kyverno/v2/cleanuppolicy.go create mode 100644 pkg/client/clientset/versioned/typed/kyverno/v2/clustercleanuppolicy.go create mode 100644 pkg/client/clientset/versioned/typed/kyverno/v2/fake/fake_cleanuppolicy.go create mode 100644 pkg/client/clientset/versioned/typed/kyverno/v2/fake/fake_clustercleanuppolicy.go create mode 100644 pkg/client/informers/externalversions/kyverno/v2/cleanuppolicy.go create mode 100644 pkg/client/informers/externalversions/kyverno/v2/clustercleanuppolicy.go create mode 100644 pkg/client/listers/kyverno/v2/cleanuppolicy.go create mode 100644 pkg/client/listers/kyverno/v2/clustercleanuppolicy.go create mode 100644 pkg/clients/kyverno/kyvernov2/cleanuppolicies/resource.generated.go create mode 100644 pkg/clients/kyverno/kyvernov2/clustercleanuppolicies/resource.generated.go diff --git a/api/kyverno/v2/cleanup_policy_test.go b/api/kyverno/v2/cleanup_policy_test.go new file mode 100644 index 0000000000..f9d03560f0 --- /dev/null +++ b/api/kyverno/v2/cleanup_policy_test.go @@ -0,0 +1,712 @@ +package v2 + +import ( + "encoding/json" + "fmt" + "testing" + + "gotest.tools/assert" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/validation/field" +) + +func Test_CleanupPolicy_Name(t *testing.T) { + subject := CleanupPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: "this-is-a-way-too-long-policy-name-that-should-trigger-an-error-when-calling-the-policy-validation-method", + }, + Spec: CleanupPolicySpec{ + Schedule: "* * * * *", + }, + } + errs := subject.Validate(nil) + assert.Assert(t, len(errs) == 1) + assert.Equal(t, errs[0].Field, "metadata.name") + assert.Equal(t, errs[0].Type, field.ErrorTypeTooLong) + assert.Equal(t, errs[0].Detail, "must have at most 63 bytes") + assert.Equal(t, errs[0].Error(), "metadata.name: Too long: must have at most 63 bytes") +} + +func Test_CleanupPolicy_Schedule(t *testing.T) { + subject := CleanupPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-policy", + }, + Spec: CleanupPolicySpec{ + Schedule: "schedule-not-in-proper-cron-format", + }, + } + errs := subject.Validate(nil) + assert.Assert(t, len(errs) == 1) + assert.Equal(t, errs[0].Field, "spec.schedule") + assert.Equal(t, errs[0].Type, field.ErrorTypeInvalid) + assert.Equal(t, errs[0].Detail, "schedule spec in the cleanupPolicy is not in proper cron format") + assert.Equal(t, errs[0].Error(), fmt.Sprintf(`spec.schedule: Invalid value: "%s": schedule spec in the cleanupPolicy is not in proper cron format`, subject.Spec.Schedule)) +} + +func Test_ClusterCleanupPolicy_Name(t *testing.T) { + subject := ClusterCleanupPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: "this-is-a-way-too-long-policy-name-that-should-trigger-an-error-when-calling-the-policy-validation-method", + }, + Spec: CleanupPolicySpec{ + Schedule: "* * * * *", + }, + } + errs := subject.Validate(nil) + assert.Assert(t, len(errs) == 1) + assert.Equal(t, errs[0].Field, "metadata.name") + assert.Equal(t, errs[0].Type, field.ErrorTypeTooLong) + assert.Equal(t, errs[0].Detail, "must have at most 63 bytes") + assert.Equal(t, errs[0].Error(), "metadata.name: Too long: must have at most 63 bytes") +} + +func Test_ClusterCleanupPolicy_Schedule(t *testing.T) { + subject := ClusterCleanupPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-policy", + }, + Spec: CleanupPolicySpec{ + Schedule: "schedule-not-in-proper-cron-format", + }, + } + errs := subject.Validate(nil) + assert.Assert(t, len(errs) == 1) + assert.Equal(t, errs[0].Field, "spec.schedule") + assert.Equal(t, errs[0].Type, field.ErrorTypeInvalid) + assert.Equal(t, errs[0].Detail, "schedule spec in the cleanupPolicy is not in proper cron format") + assert.Equal(t, errs[0].Error(), fmt.Sprintf(`spec.schedule: Invalid value: "%s": schedule spec in the cleanupPolicy is not in proper cron format`, subject.Spec.Schedule)) +} + +func Test_doesMatchExcludeConflict_cleanupPolicy(t *testing.T) { + path := field.NewPath("dummy") + testcases := []struct { + description string + policySpec []byte + errors func(r *CleanupPolicySpec) field.ErrorList + }{ + { + description: "Same match and exclude", + policySpec: []byte(` +{ + "match": { + "any": [{ + "resources": { + "kinds": [ + "Pod", + "Namespace" + ], + "name": "something", + "namespaces": [ + "something", + "something1" + ], + "selector": { + "matchLabels": { + "memory": "high" + }, + "matchExpressions": [ + { + "key": "tier", + "operator": "In", + "values": [ + "database" + ] + } + ] + } + } + }] + }, + "exclude": { + "any": [{ + "resources": { + "kinds": [ + "Pod", + "Namespace" + ], + "name": "something", + "namespaces": [ + "something", + "something1" + ], + "selector": { + "matchLabels": { + "memory": "high" + }, + "matchExpressions": [ + { + "key": "tier", + "operator": "In", + "values": [ + "database" + ] + } + ] + } + } + }] + }, + "schedule": "* * * * *" +}`), + errors: func(r *CleanupPolicySpec) (errs field.ErrorList) { + return append(errs, field.Invalid(path, r, "CleanupPolicy is matching an empty set")) + }, + }, + { + description: "Failed to exclude kind", + policySpec: []byte(` +{ + "match": { + "all": [{ + "resources": { + "kinds": [ + "Pod", + "Namespace" + ], + "name": "something", + "namespaces": [ + "something", + "something1" + ], + "selector": { + "matchLabels": { + "memory": "high" + }, + "matchExpressions": [ + { + "key": "tier", + "operator": "In", + "values": [ + "database" + ] + } + ] + } + } + }] + }, + "exclude": { + "all": [{ + "resources": { + "kinds": [ + "Namespace" + ], + "name": "something", + "namespaces": [ + "something", + "something1" + ], + "selector": { + "matchLabels": { + "memory": "high" + }, + "matchExpressions": [ + { + "key": "tier", + "operator": "In", + "values": [ + "database" + ] + } + ] + } + } + }] + }, + "schedule": "* * * * *" +}`), + }, + { + description: "Failed to exclude name", + policySpec: []byte(` +{ + "match": { + "all": [{ + "resources": { + "kinds": [ + "Pod", + "Namespace" + ], + "name": "something", + "namespaces": [ + "something", + "something1" + ], + "selector": { + "matchLabels": { + "memory": "high" + }, + "matchExpressions": [ + { + "key": "tier", + "operator": "In", + "values": [ + "database" + ] + } + ] + } + } + }] + }, + "exclude": { + "all": [{ + "resources": { + "kinds": [ + "Pod", + "Namespace" + ], + "name": "something-*", + "namespaces": [ + "something", + "something1" + ], + "selector": { + "matchLabels": { + "memory": "high" + }, + "matchExpressions": [ + { + "key": "tier", + "operator": "In", + "values": [ + "database" + ] + } + ] + } + } + }] + }, + "schedule": "* * * * *" +}`), + }, + { + description: "Failed to exclude namespace", + policySpec: []byte(` +{ + "match": { + "all": [{ + "resources": { + "kinds": [ + "Pod", + "Namespace" + ], + "name": "something", + "namespaces": [ + "something", + "something1" + ], + "selector": { + "matchLabels": { + "memory": "high" + }, + "matchExpressions": [ + { + "key": "tier", + "operator": "In", + "values": [ + "database" + ] + } + ] + } + } + }] + }, + "exclude": { + "all": [{ + "resources": { + "kinds": [ + "Pod", + "Namespace" + ], + "name": "something", + "namespaces": [ + "something3", + "something1" + ], + "selector": { + "matchLabels": { + "memory": "high" + }, + "matchExpressions": [ + { + "key": "tier", + "operator": "In", + "values": [ + "database" + ] + } + ] + } + } + }] + }, + "schedule": "* * * * *" +}`), + }, + { + description: "Failed to exclude labels", + policySpec: []byte(` +{ + "match": { + "all": [{ + "resources": { + "kinds": [ + "Pod", + "Namespace" + ], + "name": "something", + "namespaces": [ + "something", + "something1" + ], + "selector": { + "matchLabels": { + "memory": "high" + }, + "matchExpressions": [ + { + "key": "tier", + "operator": "In", + "values": [ + "database" + ] + } + ] + } + } + }] + }, + "exclude": { + "all": [{ + "resources": { + "kinds": [ + "Pod", + "Namespace" + ], + "name": "something", + "namespaces": [ + "something", + "something1" + ], + "selector": { + "matchLabels": { + "memory": "higha" + }, + "matchExpressions": [ + { + "key": "tier", + "operator": "In", + "values": [ + "database" + ] + } + ] + } + } + }] + }, + "schedule": "* * * * *" +}`), + }, + { + description: "Failed to exclude expression", + policySpec: []byte(` +{ + "match": { + "all": [{ + "resources": { + "kinds": [ + "Pod", + "Namespace" + ], + "name": "something", + "namespaces": [ + "something", + "something1" + ], + "selector": { + "matchLabels": { + "memory": "high" + }, + "matchExpressions": [ + { + "key": "tier", + "operator": "In", + "values": [ + "database" + ] + } + ] + } + } + }] + }, + "exclude": { + "all": [{ + "resources": { + "kinds": [ + "Pod", + "Namespace" + ], + "name": "something", + "namespaces": [ + "something", + "something1" + ], + "selector": { + "matchLabels": { + "memory": "high" + }, + "matchExpressions": [ + { + "key": "tier", + "operator": "In", + "values": [ + "databases" + ] + } + ] + } + } + }] + }, + "schedule": "* * * * *" +}`), + }, + { + description: "Failed to exclude subjects", + policySpec: []byte(` +{ + "match": { + "all": [{ + "resources": { + "kinds": [ + "Pod", + "Namespace" + ], + "name": "something", + "namespaces": [ + "something", + "something1" + ], + "selector": { + "matchLabels": { + "memory": "high" + }, + "matchExpressions": [ + { + "key": "tier", + "operator": "In", + "values": [ + "database" + ] + } + ] + } + } + }] + }, + "exclude": { + "all": [{ + "resources": { + "kinds": [ + "Pod", + "Namespace" + ], + "name": "something", + "namespaces": [ + "something", + "something1" + ], + "selector": { + "matchLabels": { + "memory": "high" + }, + "matchExpressions": [ + { + "key": "tier", + "operator": "In", + "values": [ + "database" + ] + } + ] + } + } + }] + }, + "schedule": "* * * * *" +}`), + }, + { + description: "Failed to exclude clusterroles", + policySpec: []byte(` +{ + "match": { + "all": [{ + "resources": { + "kinds": [ + "Pod", + "Namespace" + ], + "name": "something", + "namespaces": [ + "something", + "something1" + ], + "selector": { + "matchLabels": { + "memory": "high" + }, + "matchExpressions": [ + { + "key": "tier", + "operator": "In", + "values": [ + "database" + ] + } + ] + } + } + }] + }, + "exclude": { + "all": [{ + "resources": { + "kinds": [ + "Pod", + "Namespace" + ], + "name": "something", + "namespaces": [ + "something", + "something1" + ], + "selector": { + "matchLabels": { + "memory": "high" + }, + "matchExpressions": [ + { + "key": "tier", + "operator": "In", + "values": [ + "database" + ] + } + ] + } + } + }] + }, + "schedule": "* * * * *" +}`), + }, + { + description: "Failed to exclude roles", + policySpec: []byte(` +{ + "match": { + "all": [{ + "resources": { + "kinds": [ + "Pod", + "Namespace" + ], + "name": "something", + "namespaces": [ + "something", + "something1" + ], + "selector": { + "matchLabels": { + "memory": "high" + }, + "matchExpressions": [ + { + "key": "tier", + "operator": "In", + "values": [ + "database" + ] + } + ] + } + } + }] + }, + "exclude": { + "all": [{ + "resources": { + "kinds": [ + "Pod", + "Namespace" + ], + "name": "something", + "namespaces": [ + "something", + "something1" + ], + "selector": { + "matchLabels": { + "memory": "high" + }, + "matchExpressions": [ + { + "key": "tier", + "operator": "In", + "values": [ + "database" + ] + } + ] + } + } + }] + }, + "schedule": "* * * * *" +}`), + }, + { + description: "empty case", + policySpec: []byte(` +{ + "match": { + "all": [{ + "resources": { + "selector": { + "matchLabels": { + "allow-deletes": "false" + } + } + } + }] + }, + "exclude": {}, + "schedule": "* * * * *" +}`), + }, + } + for _, testcase := range testcases { + t.Run(testcase.description, func(t *testing.T) { + var policySpec CleanupPolicySpec + err := json.Unmarshal(testcase.policySpec, &policySpec) + assert.NilError(t, err) + errs := policySpec.ValidateMatchExcludeConflict(path) + var expectedErrs field.ErrorList + if testcase.errors != nil { + expectedErrs = testcase.errors(&policySpec) + } + assert.Equal(t, len(errs), len(expectedErrs)) + for i := range errs { + fmt.Println(i) + assert.Equal(t, errs[i].Error(), expectedErrs[i].Error()) + } + }) + } +} diff --git a/api/kyverno/v2/cleanup_policy_types.go b/api/kyverno/v2/cleanup_policy_types.go new file mode 100644 index 0000000000..fcb32e272d --- /dev/null +++ b/api/kyverno/v2/cleanup_policy_types.go @@ -0,0 +1,293 @@ +/* +Copyright 2020 The Kubernetes authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v2 + +import ( + "time" + + "github.com/aptible/supercronic/cronexpr" + kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" + datautils "github.com/kyverno/kyverno/pkg/utils/data" + "github.com/robfig/cron" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/sets" + "k8s.io/apimachinery/pkg/util/validation/field" +) + +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:object:root=true +// +kubebuilder:resource:shortName=cleanpol,categories=kyverno +// +kubebuilder:subresource:status +// +kubebuilder:printcolumn:name="Schedule",type=string,JSONPath=".spec.schedule" +// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp" + +// CleanupPolicy defines a rule for resource cleanup. +type CleanupPolicy struct { + metav1.TypeMeta `json:",inline,omitempty"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec declares policy behaviors. + Spec CleanupPolicySpec `json:"spec"` + + // Status contains policy runtime data. + // +optional + Status CleanupPolicyStatus `json:"status,omitempty"` +} + +// GetSpec returns the policy spec +func (p *CleanupPolicy) GetSpec() *CleanupPolicySpec { + return &p.Spec +} + +// GetStatus returns the policy status +func (p *CleanupPolicy) GetStatus() *CleanupPolicyStatus { + return &p.Status +} + +// GetExecutionTime returns the execution time of the policy +func (p *CleanupPolicy) GetExecutionTime() (*time.Time, error) { + lastExecutionTime := p.Status.LastExecutionTime.Time + if lastExecutionTime.IsZero() { + creationTime := p.GetCreationTimestamp().Time + return p.GetNextExecutionTime(creationTime) + } else { + return p.GetNextExecutionTime(lastExecutionTime) + } +} + +// GetNextExecutionTime returns the next execution time of the policy +func (p *CleanupPolicy) GetNextExecutionTime(time time.Time) (*time.Time, error) { + cronExpr, err := cronexpr.Parse(p.Spec.Schedule) + if err != nil { + return nil, err + } + nextExecutionTime := cronExpr.Next(time) + return &nextExecutionTime, nil +} + +// Validate implements programmatic validation +func (p *CleanupPolicy) Validate(clusterResources sets.Set[string]) (errs field.ErrorList) { + errs = append(errs, kyvernov1.ValidatePolicyName(field.NewPath("metadata").Child("name"), p.Name)...) + errs = append(errs, p.Spec.Validate(field.NewPath("spec"), clusterResources, true)...) + return errs +} + +// GetKind returns the resource kind +func (p *CleanupPolicy) GetKind() string { + return "CleanupPolicy" +} + +// GetAPIVersion returns the resource kind +func (p *CleanupPolicy) GetAPIVersion() string { + return p.APIVersion +} + +// IsNamespaced indicates if the policy is namespace scoped +func (p *CleanupPolicy) IsNamespaced() bool { + return true +} + +// +kubebuilder:object:root=true +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// CleanupPolicyList is a list of ClusterPolicy instances. +type CleanupPolicyList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata"` + Items []CleanupPolicy `json:"items"` +} + +// +genclient +// +genclient:nonNamespaced +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:object:root=true +// +kubebuilder:resource:scope=Cluster,shortName=ccleanpol,categories=kyverno +// +kubebuilder:subresource:status +// +kubebuilder:printcolumn:name="Schedule",type=string,JSONPath=".spec.schedule" +// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp" + +// ClusterCleanupPolicy defines rule for resource cleanup. +type ClusterCleanupPolicy struct { + metav1.TypeMeta `json:",inline,omitempty"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec declares policy behaviors. + Spec CleanupPolicySpec `json:"spec"` + + // Status contains policy runtime data. + // +optional + Status CleanupPolicyStatus `json:"status,omitempty"` +} + +// GetSpec returns the policy spec +func (p *ClusterCleanupPolicy) GetSpec() *CleanupPolicySpec { + return &p.Spec +} + +// GetStatus returns the policy status +func (p *ClusterCleanupPolicy) GetStatus() *CleanupPolicyStatus { + return &p.Status +} + +// GetExecutionTime returns the execution time of the policy +func (p *ClusterCleanupPolicy) GetExecutionTime() (*time.Time, error) { + lastExecutionTime := p.Status.LastExecutionTime.Time + if lastExecutionTime.IsZero() { + creationTime := p.GetCreationTimestamp().Time + return p.GetNextExecutionTime(creationTime) + } else { + return p.GetNextExecutionTime(lastExecutionTime) + } +} + +// GetNextExecutionTime returns the next execution time of the policy +func (p *ClusterCleanupPolicy) GetNextExecutionTime(time time.Time) (*time.Time, error) { + cronExpr, err := cronexpr.Parse(p.Spec.Schedule) + if err != nil { + return nil, err + } + nextExecutionTime := cronExpr.Next(time) + return &nextExecutionTime, nil +} + +// GetKind returns the resource kind +func (p *ClusterCleanupPolicy) GetKind() string { + return "ClusterCleanupPolicy" +} + +// GetAPIVersion returns the resource kind +func (p *ClusterCleanupPolicy) GetAPIVersion() string { + return p.APIVersion +} + +// IsNamespaced indicates if the policy is namespace scoped +func (p *ClusterCleanupPolicy) IsNamespaced() bool { + return false +} + +// Validate implements programmatic validation +func (p *ClusterCleanupPolicy) Validate(clusterResources sets.Set[string]) (errs field.ErrorList) { + errs = append(errs, kyvernov1.ValidatePolicyName(field.NewPath("metadata").Child("name"), p.Name)...) + errs = append(errs, p.Spec.Validate(field.NewPath("spec"), clusterResources, false)...) + return errs +} + +// +kubebuilder:object:root=true +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// ClusterCleanupPolicyList is a list of ClusterCleanupPolicy instances. +type ClusterCleanupPolicyList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata"` + Items []ClusterCleanupPolicy `json:"items"` +} + +// CleanupPolicySpec stores specifications for selecting resources that the user needs to delete +// and schedule when the matching resources needs deleted. +type CleanupPolicySpec struct { + // Context defines variables and data sources that can be used during rule execution. + // +optional + Context []kyvernov1.ContextEntry `json:"context,omitempty" yaml:"context,omitempty"` + + // MatchResources defines when cleanuppolicy should be applied. The match + // criteria can include resource information (e.g. kind, name, namespace, labels) + // and admission review request information like the user name or role. + // At least one kind is required. + MatchResources MatchResources `json:"match,omitempty"` + + // ExcludeResources defines when cleanuppolicy should not be applied. The exclude + // criteria can include resource information (e.g. kind, name, namespace, labels) + // and admission review request information like the name or role. + // +optional + ExcludeResources *MatchResources `json:"exclude,omitempty"` + + // The schedule in Cron format + Schedule string `json:"schedule"` + + // Conditions defines the conditions used to select the resources which will be cleaned up. + // +optional + Conditions *AnyAllConditions `json:"conditions,omitempty"` +} + +// CleanupPolicyStatus stores the status of the policy. +type CleanupPolicyStatus struct { + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + LastExecutionTime metav1.Time `json:"lastExecutionTime,omitempty"` +} + +// Validate implements programmatic validation +func (p *CleanupPolicySpec) Validate(path *field.Path, clusterResources sets.Set[string], namespaced bool) (errs field.ErrorList) { + // Write context validation code here by following other validations. + errs = append(errs, ValidateContext(path.Child("context"), p.Context)...) + errs = append(errs, ValidateSchedule(path.Child("schedule"), p.Schedule)...) + if userInfoErrs := p.MatchResources.ValidateNoUserInfo(path.Child("match")); len(userInfoErrs) != 0 { + errs = append(errs, userInfoErrs...) + } else { + errs = append(errs, p.MatchResources.Validate(path.Child("match"), namespaced, clusterResources)...) + } + if p.ExcludeResources != nil { + if userInfoErrs := p.ExcludeResources.ValidateNoUserInfo(path.Child("exclude")); len(userInfoErrs) != 0 { + errs = append(errs, userInfoErrs...) + } else { + errs = append(errs, p.ExcludeResources.Validate(path.Child("exclude"), namespaced, clusterResources)...) + } + } + errs = append(errs, p.ValidateMatchExcludeConflict(path)...) + return errs +} + +func ValidateContext(path *field.Path, context []kyvernov1.ContextEntry) (errs field.ErrorList) { + for _, entry := range context { + if entry.ImageRegistry != nil { + errs = append(errs, field.Invalid(path, context, "ImageRegistry is not allowed in CleanUp Policy")) + } else if entry.ConfigMap != nil { + errs = append(errs, field.Invalid(path, context, "ConfigMap is not allowed in CleanUp Policy")) + } + } + return errs +} + +// ValidateSchedule validates whether the schedule specified is in proper cron format or not. +func ValidateSchedule(path *field.Path, schedule string) (errs field.ErrorList) { + if _, err := cron.ParseStandard(schedule); err != nil { + errs = append(errs, field.Invalid(path, schedule, "schedule spec in the cleanupPolicy is not in proper cron format")) + } + return errs +} + +// ValidateMatchExcludeConflict checks if the resultant of match and exclude block is not an empty set +func (spec *CleanupPolicySpec) ValidateMatchExcludeConflict(path *field.Path) (errs field.ErrorList) { + if spec.ExcludeResources == nil || len(spec.ExcludeResources.All) > 0 || len(spec.MatchResources.All) > 0 { + return errs + } + // if both have any then no resource should be common + if len(spec.MatchResources.Any) > 0 && len(spec.ExcludeResources.Any) > 0 { + for _, rmr := range spec.MatchResources.Any { + for _, rer := range spec.ExcludeResources.Any { + if datautils.DeepEqual(rmr, rer) { + return append(errs, field.Invalid(path, spec, "CleanupPolicy is matching an empty set")) + } + } + } + return errs + } + if datautils.DeepEqual(spec.ExcludeResources, &MatchResources{}) { + return errs + } + return append(errs, field.Invalid(path, spec, "CleanupPolicy is matching an empty set")) +} diff --git a/api/kyverno/v2/condition.go b/api/kyverno/v2/condition.go new file mode 100644 index 0000000000..058329332c --- /dev/null +++ b/api/kyverno/v2/condition.go @@ -0,0 +1,94 @@ +package v2 + +import ( + kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" + "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions" + apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" +) + +// ConditionOperator is the operation performed on condition key and value. +// +kubebuilder:validation:Enum=Equals;NotEquals;AnyIn;AllIn;AnyNotIn;AllNotIn;GreaterThanOrEquals;GreaterThan;LessThanOrEquals;LessThan;DurationGreaterThanOrEquals;DurationGreaterThan;DurationLessThanOrEquals;DurationLessThan +type ConditionOperator string + +// ConditionOperators stores all the valid ConditionOperator types as key-value pairs. +// "Equals" evaluates if the key is equal to the value. +// "NotEquals" evaluates if the key is not equal to the value. +// "AnyIn" evaluates if any of the keys are contained in the set of values. +// "AllIn" evaluates if all the keys are contained in the set of values. +// "AnyNotIn" evaluates if any of the keys are not contained in the set of values. +// "AllNotIn" evaluates if all the keys are not contained in the set of values. +// "GreaterThanOrEquals" evaluates if the key (numeric) is greater than or equal to the value (numeric). +// "GreaterThan" evaluates if the key (numeric) is greater than the value (numeric). +// "LessThanOrEquals" evaluates if the key (numeric) is less than or equal to the value (numeric). +// "LessThan" evaluates if the key (numeric) is less than the value (numeric). +// "DurationGreaterThanOrEquals" evaluates if the key (duration) is greater than or equal to the value (duration) +// "DurationGreaterThan" evaluates if the key (duration) is greater than the value (duration) +// "DurationLessThanOrEquals" evaluates if the key (duration) is less than or equal to the value (duration) +// "DurationLessThan" evaluates if the key (duration) is greater than the value (duration) +var ConditionOperators = map[string]ConditionOperator{ + "Equals": ConditionOperator("Equals"), + "NotEquals": ConditionOperator("NotEquals"), + "AnyIn": ConditionOperator("AnyIn"), + "AllIn": ConditionOperator("AllIn"), + "AnyNotIn": ConditionOperator("AnyNotIn"), + "AllNotIn": ConditionOperator("AllNotIn"), + "GreaterThanOrEquals": ConditionOperator("GreaterThanOrEquals"), + "GreaterThan": ConditionOperator("GreaterThan"), + "LessThanOrEquals": ConditionOperator("LessThanOrEquals"), + "LessThan": ConditionOperator("LessThan"), + "DurationGreaterThanOrEquals": ConditionOperator("DurationGreaterThanOrEquals"), + "DurationGreaterThan": ConditionOperator("DurationGreaterThan"), + "DurationLessThanOrEquals": ConditionOperator("DurationLessThanOrEquals"), + "DurationLessThan": ConditionOperator("DurationLessThan"), +} + +type Condition struct { + // Key is the context entry (using JMESPath) for conditional rule evaluation. + RawKey *apiextv1.JSON `json:"key,omitempty" yaml:"key,omitempty"` + + // Operator is the conditional operation to perform. Valid operators are: + // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + // GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + // DurationLessThanOrEquals, DurationLessThan + Operator ConditionOperator `json:"operator,omitempty" yaml:"operator,omitempty"` + + // Value is the conditional value, or set of values. The values can be fixed set + // or can be variables declared using JMESPath. + // +optional + RawValue *apiextv1.JSON `json:"value,omitempty" yaml:"value,omitempty"` + + // Message is an optional display message + Message string `json:"message,omitempty" yaml:"message,omitempty"` +} + +func (c *Condition) GetKey() apiextensions.JSON { + return kyvernov1.FromJSON(c.RawKey) +} + +func (c *Condition) SetKey(in apiextensions.JSON) { + c.RawKey = kyvernov1.ToJSON(in) +} + +func (c *Condition) GetValue() apiextensions.JSON { + return kyvernov1.FromJSON(c.RawValue) +} + +func (c *Condition) SetValue(in apiextensions.JSON) { + c.RawValue = kyvernov1.ToJSON(in) +} + +type AnyAllConditions struct { + // AnyConditions enable variable-based conditional rule execution. This is useful for + // finer control of when an rule is applied. A condition can reference object data + // using JMESPath notation. + // Here, at least one of the conditions need to pass. + // +optional + AnyConditions []Condition `json:"any,omitempty" yaml:"any,omitempty"` + + // AllConditions enable variable-based conditional rule execution. This is useful for + // finer control of when an rule is applied. A condition can reference object data + // using JMESPath notation. + // Here, all of the conditions need to pass. + // +optional + AllConditions []Condition `json:"all,omitempty" yaml:"all,omitempty"` +} diff --git a/api/kyverno/v2/match_resources_test.go b/api/kyverno/v2/match_resources_test.go new file mode 100644 index 0000000000..d7787d5ddb --- /dev/null +++ b/api/kyverno/v2/match_resources_test.go @@ -0,0 +1,68 @@ +package v2 + +import ( + "testing" + + kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" + "gotest.tools/assert" + rbacv1 "k8s.io/api/rbac/v1" + "k8s.io/apimachinery/pkg/util/validation/field" +) + +func Test_MatchResources(t *testing.T) { + testCases := []struct { + name string + namespaced bool + subject MatchResources + errors []string + }{{ + name: "valid", + namespaced: true, + subject: MatchResources{ + Any: kyvernov1.ResourceFilters{{ + UserInfo: kyvernov1.UserInfo{ + Subjects: []rbacv1.Subject{{ + Kind: "ServiceAccount", + Namespace: "ns", + Name: "sa-1", + }}, + }, + }}, + }, + }, { + name: "any-all", + namespaced: true, + subject: MatchResources{ + Any: kyvernov1.ResourceFilters{{ + UserInfo: kyvernov1.UserInfo{ + Subjects: []rbacv1.Subject{{ + Kind: "ServiceAccount", + Namespace: "ns", + Name: "sa-1", + }}, + }, + }}, + All: kyvernov1.ResourceFilters{{ + UserInfo: kyvernov1.UserInfo{ + Subjects: []rbacv1.Subject{{ + Kind: "ServiceAccount", + Namespace: "ns", + Name: "sa-1", + }}, + }, + }}, + }, + errors: []string{ + `dummy: Invalid value: v2.MatchResources{Any:v1.ResourceFilters{v1.ResourceFilter{UserInfo:v1.UserInfo{Roles:[]string(nil), ClusterRoles:[]string(nil), Subjects:[]v1.Subject{v1.Subject{Kind:"ServiceAccount", APIGroup:"", Name:"sa-1", Namespace:"ns"}}}, ResourceDescription:v1.ResourceDescription{Kinds:[]string(nil), Name:"", Names:[]string(nil), Namespaces:[]string(nil), Annotations:map[string]string(nil), Selector:(*v1.LabelSelector)(nil), NamespaceSelector:(*v1.LabelSelector)(nil), Operations:[]v1.AdmissionOperation(nil)}}}, All:v1.ResourceFilters{v1.ResourceFilter{UserInfo:v1.UserInfo{Roles:[]string(nil), ClusterRoles:[]string(nil), Subjects:[]v1.Subject{v1.Subject{Kind:"ServiceAccount", APIGroup:"", Name:"sa-1", Namespace:"ns"}}}, ResourceDescription:v1.ResourceDescription{Kinds:[]string(nil), Name:"", Names:[]string(nil), Namespaces:[]string(nil), Annotations:map[string]string(nil), Selector:(*v1.LabelSelector)(nil), NamespaceSelector:(*v1.LabelSelector)(nil), Operations:[]v1.AdmissionOperation(nil)}}}}: Can't specify any and all together`, + }, + }} + + path := field.NewPath("dummy") + for _, testCase := range testCases { + errs := testCase.subject.Validate(path, testCase.namespaced, nil) + assert.Equal(t, len(errs), len(testCase.errors)) + for i, err := range errs { + assert.Equal(t, err.Error(), testCase.errors[i]) + } + } +} diff --git a/api/kyverno/v2/match_resources_types.go b/api/kyverno/v2/match_resources_types.go new file mode 100644 index 0000000000..0889b68286 --- /dev/null +++ b/api/kyverno/v2/match_resources_types.go @@ -0,0 +1,80 @@ +package v2 + +import ( + kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" + "k8s.io/apimachinery/pkg/util/sets" + "k8s.io/apimachinery/pkg/util/validation/field" +) + +// MatchResources is used to specify resource and admission review request data for +// which a policy rule is applicable. +type MatchResources struct { + // Any allows specifying resources which will be ORed + // +optional + Any kyvernov1.ResourceFilters `json:"any,omitempty" yaml:"any,omitempty"` + + // All allows specifying resources which will be ANDed + // +optional + All kyvernov1.ResourceFilters `json:"all,omitempty" yaml:"all,omitempty"` +} + +// GetKinds returns all kinds +func (m *MatchResources) GetKinds() []string { + var kinds []string + for _, value := range m.All { + kinds = append(kinds, value.ResourceDescription.Kinds...) + } + for _, value := range m.Any { + kinds = append(kinds, value.ResourceDescription.Kinds...) + } + return kinds +} + +// ValidateNoUserInfo verifies that no user info is used +func (m *MatchResources) ValidateNoUserInfo(path *field.Path) (errs field.ErrorList) { + anyPath := path.Child("any") + for i, filter := range m.Any { + errs = append(errs, filter.UserInfo.ValidateNoUserInfo(anyPath.Index(i))...) + } + allPath := path.Child("all") + for i, filter := range m.All { + errs = append(errs, filter.UserInfo.ValidateNoUserInfo(allPath.Index(i))...) + } + return errs +} + +// ValidateResourceWithNoUserInfo implements programmatic validation and verifies that no user info is used +func (m *MatchResources) ValidateResourceWithNoUserInfo(path *field.Path, namespaced bool, clusterResources sets.Set[string]) (errs field.ErrorList) { + if len(m.Any) > 0 && len(m.All) > 0 { + errs = append(errs, field.Invalid(path, m, "Can't specify any and all together")) + } + anyPath := path.Child("any") + for i, filter := range m.Any { + errs = append(errs, filter.UserInfo.ValidateNoUserInfo(anyPath.Index(i))...) + errs = append(errs, filter.ResourceDescription.Validate(anyPath.Index(i), namespaced, clusterResources)...) + } + allPath := path.Child("all") + for i, filter := range m.All { + errs = append(errs, filter.UserInfo.ValidateNoUserInfo(allPath.Index(i))...) + errs = append(errs, filter.ResourceDescription.Validate(allPath.Index(i), namespaced, clusterResources)...) + } + return errs +} + +// Validate implements programmatic validation +func (m *MatchResources) Validate(path *field.Path, namespaced bool, clusterResources sets.Set[string]) (errs field.ErrorList) { + if len(m.Any) > 0 && len(m.All) > 0 { + errs = append(errs, field.Invalid(path, m, "Can't specify any and all together")) + } + anyPath := path.Child("any") + for i, filter := range m.Any { + errs = append(errs, filter.UserInfo.Validate(anyPath.Index(i))...) + errs = append(errs, filter.ResourceDescription.Validate(anyPath.Index(i), namespaced, clusterResources)...) + } + allPath := path.Child("all") + for i, filter := range m.All { + errs = append(errs, filter.UserInfo.Validate(allPath.Index(i))...) + errs = append(errs, filter.ResourceDescription.Validate(allPath.Index(i), namespaced, clusterResources)...) + } + return errs +} diff --git a/api/kyverno/v2/zz_generated.deepcopy.go b/api/kyverno/v2/zz_generated.deepcopy.go index 7986f7e785..c89c9695dc 100644 --- a/api/kyverno/v2/zz_generated.deepcopy.go +++ b/api/kyverno/v2/zz_generated.deepcopy.go @@ -22,8 +22,11 @@ limitations under the License. package v2 import ( + v1 "github.com/kyverno/kyverno/api/kyverno/v1" v2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1" v1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2" + apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" ) @@ -112,6 +115,36 @@ func (in *AdmissionReportSpec) DeepCopy() *AdmissionReportSpec { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AnyAllConditions) DeepCopyInto(out *AnyAllConditions) { + *out = *in + if in.AnyConditions != nil { + in, out := &in.AnyConditions, &out.AnyConditions + *out = make([]Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.AllConditions != nil { + in, out := &in.AllConditions, &out.AllConditions + *out = make([]Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AnyAllConditions. +func (in *AnyAllConditions) DeepCopy() *AnyAllConditions { + if in == nil { + return nil + } + out := new(AnyAllConditions) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *BackgroundScanReport) DeepCopyInto(out *BackgroundScanReport) { *out = *in @@ -196,6 +229,125 @@ func (in *BackgroundScanReportSpec) DeepCopy() *BackgroundScanReportSpec { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CleanupPolicy) DeepCopyInto(out *CleanupPolicy) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CleanupPolicy. +func (in *CleanupPolicy) DeepCopy() *CleanupPolicy { + if in == nil { + return nil + } + out := new(CleanupPolicy) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *CleanupPolicy) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CleanupPolicyList) DeepCopyInto(out *CleanupPolicyList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]CleanupPolicy, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CleanupPolicyList. +func (in *CleanupPolicyList) DeepCopy() *CleanupPolicyList { + if in == nil { + return nil + } + out := new(CleanupPolicyList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *CleanupPolicyList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CleanupPolicySpec) DeepCopyInto(out *CleanupPolicySpec) { + *out = *in + if in.Context != nil { + in, out := &in.Context, &out.Context + *out = make([]v1.ContextEntry, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + in.MatchResources.DeepCopyInto(&out.MatchResources) + if in.ExcludeResources != nil { + in, out := &in.ExcludeResources, &out.ExcludeResources + *out = new(MatchResources) + (*in).DeepCopyInto(*out) + } + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = new(AnyAllConditions) + (*in).DeepCopyInto(*out) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CleanupPolicySpec. +func (in *CleanupPolicySpec) DeepCopy() *CleanupPolicySpec { + if in == nil { + return nil + } + out := new(CleanupPolicySpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CleanupPolicyStatus) DeepCopyInto(out *CleanupPolicyStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]metav1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + in.LastExecutionTime.DeepCopyInto(&out.LastExecutionTime) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CleanupPolicyStatus. +func (in *CleanupPolicyStatus) DeepCopy() *CleanupPolicyStatus { + if in == nil { + return nil + } + out := new(CleanupPolicyStatus) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ClusterAdmissionReport) DeepCopyInto(out *ClusterAdmissionReport) { *out = *in @@ -316,6 +468,93 @@ func (in *ClusterBackgroundScanReportList) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClusterCleanupPolicy) DeepCopyInto(out *ClusterCleanupPolicy) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterCleanupPolicy. +func (in *ClusterCleanupPolicy) DeepCopy() *ClusterCleanupPolicy { + if in == nil { + return nil + } + out := new(ClusterCleanupPolicy) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ClusterCleanupPolicy) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClusterCleanupPolicyList) DeepCopyInto(out *ClusterCleanupPolicyList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]ClusterCleanupPolicy, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterCleanupPolicyList. +func (in *ClusterCleanupPolicyList) DeepCopy() *ClusterCleanupPolicyList { + if in == nil { + return nil + } + out := new(ClusterCleanupPolicyList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ClusterCleanupPolicyList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Condition) DeepCopyInto(out *Condition) { + *out = *in + if in.RawKey != nil { + in, out := &in.RawKey, &out.RawKey + *out = new(apiextensionsv1.JSON) + (*in).DeepCopyInto(*out) + } + if in.RawValue != nil { + in, out := &in.RawValue, &out.RawValue + *out = new(apiextensionsv1.JSON) + (*in).DeepCopyInto(*out) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Condition. +func (in *Condition) DeepCopy() *Condition { + if in == nil { + return nil + } + out := new(Condition) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Exception) DeepCopyInto(out *Exception) { *out = *in @@ -337,6 +576,36 @@ func (in *Exception) DeepCopy() *Exception { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *MatchResources) DeepCopyInto(out *MatchResources) { + *out = *in + if in.Any != nil { + in, out := &in.Any, &out.Any + *out = make(v1.ResourceFilters, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.All != nil { + in, out := &in.All, &out.All + *out = make(v1.ResourceFilters, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MatchResources. +func (in *MatchResources) DeepCopy() *MatchResources { + if in == nil { + return nil + } + out := new(MatchResources) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *PolicyException) DeepCopyInto(out *PolicyException) { *out = *in diff --git a/api/kyverno/v2/zz_generated.register.go b/api/kyverno/v2/zz_generated.register.go index 713c98d009..fb6801e1d3 100644 --- a/api/kyverno/v2/zz_generated.register.go +++ b/api/kyverno/v2/zz_generated.register.go @@ -62,10 +62,14 @@ func addKnownTypes(scheme *runtime.Scheme) error { &AdmissionReportList{}, &BackgroundScanReport{}, &BackgroundScanReportList{}, + &CleanupPolicy{}, + &CleanupPolicyList{}, &ClusterAdmissionReport{}, &ClusterAdmissionReportList{}, &ClusterBackgroundScanReport{}, &ClusterBackgroundScanReportList{}, + &ClusterCleanupPolicy{}, + &ClusterCleanupPolicyList{}, &PolicyException{}, &PolicyExceptionList{}, ) diff --git a/charts/kyverno/charts/crds/templates/crds.yaml b/charts/kyverno/charts/crds/templates/crds.yaml index da1b3919e2..b152bf4b24 100644 --- a/charts/kyverno/charts/crds/templates/crds.yaml +++ b/charts/kyverno/charts/crds/templates/crds.yaml @@ -1247,6 +1247,1247 @@ spec: singular: cleanuppolicy scope: Namespaced versions: + - additionalPrinterColumns: + - jsonPath: .spec.schedule + name: Schedule + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2 + schema: + openAPIV3Schema: + description: CleanupPolicy defines a rule for resource cleanup. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec declares policy behaviors. + properties: + conditions: + description: Conditions defines the conditions used to select the + resources which will be cleaned up. + properties: + all: + description: AllConditions enable variable-based conditional rule + execution. This is useful for finer control of when an rule + is applied. A condition can reference object data using JMESPath + notation. Here, all of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) for + conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: 'Operator is the conditional operation to perform. + Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, + NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, + LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, + DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, or set of values. + The values can be fixed set or can be variables declared + using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based conditional rule + execution. This is useful for finer control of when an rule + is applied. A condition can reference object data using JMESPath + notation. Here, at least one of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) for + conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: 'Operator is the conditional operation to perform. + Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, + NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, + LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, + DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, or set of values. + The values can be fixed set or can be variables declared + using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + context: + description: Context defines variables and data sources that can be + used during rule execution. + items: + description: ContextEntry adds variables and data sources to a rule + Context. Either a ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: APICall is an HTTP request to the Kubernetes API + server, or other JSON web service. The data returned is stored + in the context with the name for the context entry. + properties: + data: + description: Data specifies the POST data sent to the server. + items: + description: RequestData contains the HTTP POST data + properties: + key: + description: Key is a unique identifier for the data + value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: JMESPath is an optional JSON Match Expression + that can be used to transform the JSON response returned + from the server. For example a JMESPath of "items | length(@)" + applied to the API server response for the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments across all + namespaces. + type: string + method: + default: GET + description: Method is the HTTP request type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a JSON web service + properties: + caBundle: + description: CABundle is a PEM encoded CA bundle which + will be used to validate the server certificate. + type: string + url: + description: URL is the JSON web service URL. A typical + form is `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: URLPath is the URL path to be used in the HTTP + GET or POST request to the Kubernetes API server (e.g. + "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl + get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests to an OCI/Docker + V2 registry to fetch image details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure access + to a registry. + type: boolean + providers: + description: 'Providers specifies a list of OCI Registry + names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github.' + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: Secrets specifies a list of secrets that + are provided for credentials. Secrets must live in + the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: JMESPath is an optional JSON Match Expression + that can be used to transform the ImageData struct returned + as a result of processing the image reference. + type: string + reference: + description: 'Reference is image reference to a container + image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath context + variable that can be defined inline. + properties: + default: + description: Default is an optional arbitrary JSON object + that the variable may take if the JMESPath expression + evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional JMESPath Expression + that can be used to transform the variable. + type: string + value: + description: Value is any arbitrary JSON object representable + in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + exclude: + description: ExcludeResources defines when cleanuppolicy should not + be applied. The exclude criteria can include resource information + (e.g. kind, name, namespace, labels) and admission review request + information like the name or role. + properties: + all: + description: All allows specifying resources which will be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value + pairs of type string). Annotation keys and values + support the wildcard characters "*" (matches zero + or many characters) and "?" (matches at least one + character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` + (matches zero or many characters) and `?` (matches + one character).Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys + and values in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` (matches + one character). Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: Subject contains a reference to the object + or user identities a role binding applies to. This + can either hold a direct API object reference, or a + value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced + subject. Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User + and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values + defined by this API group are "User", "Group", and + "ServiceAccount". If the Authorizer does not recognized + the kind value, the Authorizer should report an + error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as "User" + or "Group", and this value is not empty the Authorizer + should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value + pairs of type string). Annotation keys and values + support the wildcard characters "*" (matches zero + or many characters) and "?" (matches at least one + character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` + (matches zero or many characters) and `?` (matches + one character).Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys + and values in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` (matches + one character). Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: Subject contains a reference to the object + or user identities a role binding applies to. This + can either hold a direct API object reference, or a + value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced + subject. Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User + and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values + defined by this API group are "User", "Group", and + "ServiceAccount". If the Authorizer does not recognized + the kind value, the Authorizer should report an + error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as "User" + or "Group", and this value is not empty the Authorizer + should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + match: + description: MatchResources defines when cleanuppolicy should be applied. + The match criteria can include resource information (e.g. kind, + name, namespace, labels) and admission review request information + like the user name or role. At least one kind is required. + properties: + all: + description: All allows specifying resources which will be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value + pairs of type string). Annotation keys and values + support the wildcard characters "*" (matches zero + or many characters) and "?" (matches at least one + character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` + (matches zero or many characters) and `?` (matches + one character).Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys + and values in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` (matches + one character). Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: Subject contains a reference to the object + or user identities a role binding applies to. This + can either hold a direct API object reference, or a + value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced + subject. Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User + and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values + defined by this API group are "User", "Group", and + "ServiceAccount". If the Authorizer does not recognized + the kind value, the Authorizer should report an + error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as "User" + or "Group", and this value is not empty the Authorizer + should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value + pairs of type string). Annotation keys and values + support the wildcard characters "*" (matches zero + or many characters) and "?" (matches at least one + character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` + (matches zero or many characters) and `?` (matches + one character).Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys + and values in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` (matches + one character). Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: Subject contains a reference to the object + or user identities a role binding applies to. This + can either hold a direct API object reference, or a + value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced + subject. Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User + and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values + defined by this API group are "User", "Group", and + "ServiceAccount". If the Authorizer does not recognized + the kind value, the Authorizer should report an + error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as "User" + or "Group", and this value is not empty the Authorizer + should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + schedule: + description: The schedule in Cron format + type: string + required: + - schedule + type: object + status: + description: Status contains policy runtime data. + properties: + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastExecutionTime: + format: date-time + type: string + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} - additionalPrinterColumns: - jsonPath: .spec.schedule name: Schedule @@ -4981,6 +6222,1247 @@ spec: singular: clustercleanuppolicy scope: Cluster versions: + - additionalPrinterColumns: + - jsonPath: .spec.schedule + name: Schedule + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2 + schema: + openAPIV3Schema: + description: ClusterCleanupPolicy defines rule for resource cleanup. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec declares policy behaviors. + properties: + conditions: + description: Conditions defines the conditions used to select the + resources which will be cleaned up. + properties: + all: + description: AllConditions enable variable-based conditional rule + execution. This is useful for finer control of when an rule + is applied. A condition can reference object data using JMESPath + notation. Here, all of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) for + conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: 'Operator is the conditional operation to perform. + Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, + NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, + LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, + DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, or set of values. + The values can be fixed set or can be variables declared + using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based conditional rule + execution. This is useful for finer control of when an rule + is applied. A condition can reference object data using JMESPath + notation. Here, at least one of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) for + conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: 'Operator is the conditional operation to perform. + Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, + NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, + LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, + DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, or set of values. + The values can be fixed set or can be variables declared + using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + context: + description: Context defines variables and data sources that can be + used during rule execution. + items: + description: ContextEntry adds variables and data sources to a rule + Context. Either a ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: APICall is an HTTP request to the Kubernetes API + server, or other JSON web service. The data returned is stored + in the context with the name for the context entry. + properties: + data: + description: Data specifies the POST data sent to the server. + items: + description: RequestData contains the HTTP POST data + properties: + key: + description: Key is a unique identifier for the data + value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: JMESPath is an optional JSON Match Expression + that can be used to transform the JSON response returned + from the server. For example a JMESPath of "items | length(@)" + applied to the API server response for the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments across all + namespaces. + type: string + method: + default: GET + description: Method is the HTTP request type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a JSON web service + properties: + caBundle: + description: CABundle is a PEM encoded CA bundle which + will be used to validate the server certificate. + type: string + url: + description: URL is the JSON web service URL. A typical + form is `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: URLPath is the URL path to be used in the HTTP + GET or POST request to the Kubernetes API server (e.g. + "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl + get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests to an OCI/Docker + V2 registry to fetch image details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure access + to a registry. + type: boolean + providers: + description: 'Providers specifies a list of OCI Registry + names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github.' + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: Secrets specifies a list of secrets that + are provided for credentials. Secrets must live in + the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: JMESPath is an optional JSON Match Expression + that can be used to transform the ImageData struct returned + as a result of processing the image reference. + type: string + reference: + description: 'Reference is image reference to a container + image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath context + variable that can be defined inline. + properties: + default: + description: Default is an optional arbitrary JSON object + that the variable may take if the JMESPath expression + evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional JMESPath Expression + that can be used to transform the variable. + type: string + value: + description: Value is any arbitrary JSON object representable + in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + exclude: + description: ExcludeResources defines when cleanuppolicy should not + be applied. The exclude criteria can include resource information + (e.g. kind, name, namespace, labels) and admission review request + information like the name or role. + properties: + all: + description: All allows specifying resources which will be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value + pairs of type string). Annotation keys and values + support the wildcard characters "*" (matches zero + or many characters) and "?" (matches at least one + character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` + (matches zero or many characters) and `?` (matches + one character).Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys + and values in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` (matches + one character). Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: Subject contains a reference to the object + or user identities a role binding applies to. This + can either hold a direct API object reference, or a + value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced + subject. Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User + and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values + defined by this API group are "User", "Group", and + "ServiceAccount". If the Authorizer does not recognized + the kind value, the Authorizer should report an + error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as "User" + or "Group", and this value is not empty the Authorizer + should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value + pairs of type string). Annotation keys and values + support the wildcard characters "*" (matches zero + or many characters) and "?" (matches at least one + character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` + (matches zero or many characters) and `?` (matches + one character).Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys + and values in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` (matches + one character). Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: Subject contains a reference to the object + or user identities a role binding applies to. This + can either hold a direct API object reference, or a + value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced + subject. Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User + and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values + defined by this API group are "User", "Group", and + "ServiceAccount". If the Authorizer does not recognized + the kind value, the Authorizer should report an + error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as "User" + or "Group", and this value is not empty the Authorizer + should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + match: + description: MatchResources defines when cleanuppolicy should be applied. + The match criteria can include resource information (e.g. kind, + name, namespace, labels) and admission review request information + like the user name or role. At least one kind is required. + properties: + all: + description: All allows specifying resources which will be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value + pairs of type string). Annotation keys and values + support the wildcard characters "*" (matches zero + or many characters) and "?" (matches at least one + character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` + (matches zero or many characters) and `?` (matches + one character).Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys + and values in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` (matches + one character). Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: Subject contains a reference to the object + or user identities a role binding applies to. This + can either hold a direct API object reference, or a + value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced + subject. Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User + and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values + defined by this API group are "User", "Group", and + "ServiceAccount". If the Authorizer does not recognized + the kind value, the Authorizer should report an + error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as "User" + or "Group", and this value is not empty the Authorizer + should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value + pairs of type string). Annotation keys and values + support the wildcard characters "*" (matches zero + or many characters) and "?" (matches at least one + character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` + (matches zero or many characters) and `?` (matches + one character).Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys + and values in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` (matches + one character). Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: Subject contains a reference to the object + or user identities a role binding applies to. This + can either hold a direct API object reference, or a + value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced + subject. Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User + and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values + defined by this API group are "User", "Group", and + "ServiceAccount". If the Authorizer does not recognized + the kind value, the Authorizer should report an + error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as "User" + or "Group", and this value is not empty the Authorizer + should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + schedule: + description: The schedule in Cron format + type: string + required: + - schedule + type: object + status: + description: Status contains policy runtime data. + properties: + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastExecutionTime: + format: date-time + type: string + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} - additionalPrinterColumns: - jsonPath: .spec.schedule name: Schedule diff --git a/config/crds/kyverno.io_cleanuppolicies.yaml b/config/crds/kyverno.io_cleanuppolicies.yaml index dcba01e640..ca4a4e50d0 100644 --- a/config/crds/kyverno.io_cleanuppolicies.yaml +++ b/config/crds/kyverno.io_cleanuppolicies.yaml @@ -18,6 +18,1247 @@ spec: singular: cleanuppolicy scope: Namespaced versions: + - additionalPrinterColumns: + - jsonPath: .spec.schedule + name: Schedule + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2 + schema: + openAPIV3Schema: + description: CleanupPolicy defines a rule for resource cleanup. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec declares policy behaviors. + properties: + conditions: + description: Conditions defines the conditions used to select the + resources which will be cleaned up. + properties: + all: + description: AllConditions enable variable-based conditional rule + execution. This is useful for finer control of when an rule + is applied. A condition can reference object data using JMESPath + notation. Here, all of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) for + conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: 'Operator is the conditional operation to perform. + Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, + NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, + LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, + DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, or set of values. + The values can be fixed set or can be variables declared + using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based conditional rule + execution. This is useful for finer control of when an rule + is applied. A condition can reference object data using JMESPath + notation. Here, at least one of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) for + conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: 'Operator is the conditional operation to perform. + Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, + NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, + LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, + DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, or set of values. + The values can be fixed set or can be variables declared + using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + context: + description: Context defines variables and data sources that can be + used during rule execution. + items: + description: ContextEntry adds variables and data sources to a rule + Context. Either a ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: APICall is an HTTP request to the Kubernetes API + server, or other JSON web service. The data returned is stored + in the context with the name for the context entry. + properties: + data: + description: Data specifies the POST data sent to the server. + items: + description: RequestData contains the HTTP POST data + properties: + key: + description: Key is a unique identifier for the data + value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: JMESPath is an optional JSON Match Expression + that can be used to transform the JSON response returned + from the server. For example a JMESPath of "items | length(@)" + applied to the API server response for the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments across all + namespaces. + type: string + method: + default: GET + description: Method is the HTTP request type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a JSON web service + properties: + caBundle: + description: CABundle is a PEM encoded CA bundle which + will be used to validate the server certificate. + type: string + url: + description: URL is the JSON web service URL. A typical + form is `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: URLPath is the URL path to be used in the HTTP + GET or POST request to the Kubernetes API server (e.g. + "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl + get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests to an OCI/Docker + V2 registry to fetch image details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure access + to a registry. + type: boolean + providers: + description: 'Providers specifies a list of OCI Registry + names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github.' + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: Secrets specifies a list of secrets that + are provided for credentials. Secrets must live in + the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: JMESPath is an optional JSON Match Expression + that can be used to transform the ImageData struct returned + as a result of processing the image reference. + type: string + reference: + description: 'Reference is image reference to a container + image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath context + variable that can be defined inline. + properties: + default: + description: Default is an optional arbitrary JSON object + that the variable may take if the JMESPath expression + evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional JMESPath Expression + that can be used to transform the variable. + type: string + value: + description: Value is any arbitrary JSON object representable + in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + exclude: + description: ExcludeResources defines when cleanuppolicy should not + be applied. The exclude criteria can include resource information + (e.g. kind, name, namespace, labels) and admission review request + information like the name or role. + properties: + all: + description: All allows specifying resources which will be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value + pairs of type string). Annotation keys and values + support the wildcard characters "*" (matches zero + or many characters) and "?" (matches at least one + character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` + (matches zero or many characters) and `?` (matches + one character).Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys + and values in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` (matches + one character). Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: Subject contains a reference to the object + or user identities a role binding applies to. This + can either hold a direct API object reference, or a + value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced + subject. Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User + and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values + defined by this API group are "User", "Group", and + "ServiceAccount". If the Authorizer does not recognized + the kind value, the Authorizer should report an + error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as "User" + or "Group", and this value is not empty the Authorizer + should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value + pairs of type string). Annotation keys and values + support the wildcard characters "*" (matches zero + or many characters) and "?" (matches at least one + character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` + (matches zero or many characters) and `?` (matches + one character).Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys + and values in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` (matches + one character). Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: Subject contains a reference to the object + or user identities a role binding applies to. This + can either hold a direct API object reference, or a + value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced + subject. Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User + and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values + defined by this API group are "User", "Group", and + "ServiceAccount". If the Authorizer does not recognized + the kind value, the Authorizer should report an + error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as "User" + or "Group", and this value is not empty the Authorizer + should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + match: + description: MatchResources defines when cleanuppolicy should be applied. + The match criteria can include resource information (e.g. kind, + name, namespace, labels) and admission review request information + like the user name or role. At least one kind is required. + properties: + all: + description: All allows specifying resources which will be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value + pairs of type string). Annotation keys and values + support the wildcard characters "*" (matches zero + or many characters) and "?" (matches at least one + character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` + (matches zero or many characters) and `?` (matches + one character).Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys + and values in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` (matches + one character). Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: Subject contains a reference to the object + or user identities a role binding applies to. This + can either hold a direct API object reference, or a + value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced + subject. Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User + and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values + defined by this API group are "User", "Group", and + "ServiceAccount". If the Authorizer does not recognized + the kind value, the Authorizer should report an + error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as "User" + or "Group", and this value is not empty the Authorizer + should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value + pairs of type string). Annotation keys and values + support the wildcard characters "*" (matches zero + or many characters) and "?" (matches at least one + character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` + (matches zero or many characters) and `?` (matches + one character).Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys + and values in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` (matches + one character). Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: Subject contains a reference to the object + or user identities a role binding applies to. This + can either hold a direct API object reference, or a + value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced + subject. Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User + and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values + defined by this API group are "User", "Group", and + "ServiceAccount". If the Authorizer does not recognized + the kind value, the Authorizer should report an + error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as "User" + or "Group", and this value is not empty the Authorizer + should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + schedule: + description: The schedule in Cron format + type: string + required: + - schedule + type: object + status: + description: Status contains policy runtime data. + properties: + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastExecutionTime: + format: date-time + type: string + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} - additionalPrinterColumns: - jsonPath: .spec.schedule name: Schedule diff --git a/config/crds/kyverno.io_clustercleanuppolicies.yaml b/config/crds/kyverno.io_clustercleanuppolicies.yaml index f36f32c4f7..cfa9264d10 100644 --- a/config/crds/kyverno.io_clustercleanuppolicies.yaml +++ b/config/crds/kyverno.io_clustercleanuppolicies.yaml @@ -18,6 +18,1247 @@ spec: singular: clustercleanuppolicy scope: Cluster versions: + - additionalPrinterColumns: + - jsonPath: .spec.schedule + name: Schedule + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2 + schema: + openAPIV3Schema: + description: ClusterCleanupPolicy defines rule for resource cleanup. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec declares policy behaviors. + properties: + conditions: + description: Conditions defines the conditions used to select the + resources which will be cleaned up. + properties: + all: + description: AllConditions enable variable-based conditional rule + execution. This is useful for finer control of when an rule + is applied. A condition can reference object data using JMESPath + notation. Here, all of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) for + conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: 'Operator is the conditional operation to perform. + Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, + NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, + LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, + DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, or set of values. + The values can be fixed set or can be variables declared + using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based conditional rule + execution. This is useful for finer control of when an rule + is applied. A condition can reference object data using JMESPath + notation. Here, at least one of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) for + conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: 'Operator is the conditional operation to perform. + Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, + NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, + LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, + DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, or set of values. + The values can be fixed set or can be variables declared + using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + context: + description: Context defines variables and data sources that can be + used during rule execution. + items: + description: ContextEntry adds variables and data sources to a rule + Context. Either a ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: APICall is an HTTP request to the Kubernetes API + server, or other JSON web service. The data returned is stored + in the context with the name for the context entry. + properties: + data: + description: Data specifies the POST data sent to the server. + items: + description: RequestData contains the HTTP POST data + properties: + key: + description: Key is a unique identifier for the data + value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: JMESPath is an optional JSON Match Expression + that can be used to transform the JSON response returned + from the server. For example a JMESPath of "items | length(@)" + applied to the API server response for the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments across all + namespaces. + type: string + method: + default: GET + description: Method is the HTTP request type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a JSON web service + properties: + caBundle: + description: CABundle is a PEM encoded CA bundle which + will be used to validate the server certificate. + type: string + url: + description: URL is the JSON web service URL. A typical + form is `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: URLPath is the URL path to be used in the HTTP + GET or POST request to the Kubernetes API server (e.g. + "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl + get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests to an OCI/Docker + V2 registry to fetch image details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure access + to a registry. + type: boolean + providers: + description: 'Providers specifies a list of OCI Registry + names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github.' + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: Secrets specifies a list of secrets that + are provided for credentials. Secrets must live in + the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: JMESPath is an optional JSON Match Expression + that can be used to transform the ImageData struct returned + as a result of processing the image reference. + type: string + reference: + description: 'Reference is image reference to a container + image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath context + variable that can be defined inline. + properties: + default: + description: Default is an optional arbitrary JSON object + that the variable may take if the JMESPath expression + evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional JMESPath Expression + that can be used to transform the variable. + type: string + value: + description: Value is any arbitrary JSON object representable + in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + exclude: + description: ExcludeResources defines when cleanuppolicy should not + be applied. The exclude criteria can include resource information + (e.g. kind, name, namespace, labels) and admission review request + information like the name or role. + properties: + all: + description: All allows specifying resources which will be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value + pairs of type string). Annotation keys and values + support the wildcard characters "*" (matches zero + or many characters) and "?" (matches at least one + character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` + (matches zero or many characters) and `?` (matches + one character).Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys + and values in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` (matches + one character). Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: Subject contains a reference to the object + or user identities a role binding applies to. This + can either hold a direct API object reference, or a + value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced + subject. Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User + and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values + defined by this API group are "User", "Group", and + "ServiceAccount". If the Authorizer does not recognized + the kind value, the Authorizer should report an + error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as "User" + or "Group", and this value is not empty the Authorizer + should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value + pairs of type string). Annotation keys and values + support the wildcard characters "*" (matches zero + or many characters) and "?" (matches at least one + character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` + (matches zero or many characters) and `?` (matches + one character).Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys + and values in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` (matches + one character). Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: Subject contains a reference to the object + or user identities a role binding applies to. This + can either hold a direct API object reference, or a + value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced + subject. Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User + and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values + defined by this API group are "User", "Group", and + "ServiceAccount". If the Authorizer does not recognized + the kind value, the Authorizer should report an + error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as "User" + or "Group", and this value is not empty the Authorizer + should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + match: + description: MatchResources defines when cleanuppolicy should be applied. + The match criteria can include resource information (e.g. kind, + name, namespace, labels) and admission review request information + like the user name or role. At least one kind is required. + properties: + all: + description: All allows specifying resources which will be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value + pairs of type string). Annotation keys and values + support the wildcard characters "*" (matches zero + or many characters) and "?" (matches at least one + character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` + (matches zero or many characters) and `?` (matches + one character).Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys + and values in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` (matches + one character). Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: Subject contains a reference to the object + or user identities a role binding applies to. This + can either hold a direct API object reference, or a + value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced + subject. Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User + and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values + defined by this API group are "User", "Group", and + "ServiceAccount". If the Authorizer does not recognized + the kind value, the Authorizer should report an + error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as "User" + or "Group", and this value is not empty the Authorizer + should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value + pairs of type string). Annotation keys and values + support the wildcard characters "*" (matches zero + or many characters) and "?" (matches at least one + character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` + (matches zero or many characters) and `?` (matches + one character).Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys + and values in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` (matches + one character). Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: Subject contains a reference to the object + or user identities a role binding applies to. This + can either hold a direct API object reference, or a + value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced + subject. Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User + and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values + defined by this API group are "User", "Group", and + "ServiceAccount". If the Authorizer does not recognized + the kind value, the Authorizer should report an + error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as "User" + or "Group", and this value is not empty the Authorizer + should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + schedule: + description: The schedule in Cron format + type: string + required: + - schedule + type: object + status: + description: Status contains policy runtime data. + properties: + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastExecutionTime: + format: date-time + type: string + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} - additionalPrinterColumns: - jsonPath: .spec.schedule name: Schedule diff --git a/config/install-latest-testing.yaml b/config/install-latest-testing.yaml index 12a1ac684c..150cafeb2e 100644 --- a/config/install-latest-testing.yaml +++ b/config/install-latest-testing.yaml @@ -1458,6 +1458,1247 @@ spec: singular: cleanuppolicy scope: Namespaced versions: + - additionalPrinterColumns: + - jsonPath: .spec.schedule + name: Schedule + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2 + schema: + openAPIV3Schema: + description: CleanupPolicy defines a rule for resource cleanup. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec declares policy behaviors. + properties: + conditions: + description: Conditions defines the conditions used to select the + resources which will be cleaned up. + properties: + all: + description: AllConditions enable variable-based conditional rule + execution. This is useful for finer control of when an rule + is applied. A condition can reference object data using JMESPath + notation. Here, all of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) for + conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: 'Operator is the conditional operation to perform. + Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, + NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, + LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, + DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, or set of values. + The values can be fixed set or can be variables declared + using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based conditional rule + execution. This is useful for finer control of when an rule + is applied. A condition can reference object data using JMESPath + notation. Here, at least one of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) for + conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: 'Operator is the conditional operation to perform. + Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, + NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, + LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, + DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, or set of values. + The values can be fixed set or can be variables declared + using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + context: + description: Context defines variables and data sources that can be + used during rule execution. + items: + description: ContextEntry adds variables and data sources to a rule + Context. Either a ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: APICall is an HTTP request to the Kubernetes API + server, or other JSON web service. The data returned is stored + in the context with the name for the context entry. + properties: + data: + description: Data specifies the POST data sent to the server. + items: + description: RequestData contains the HTTP POST data + properties: + key: + description: Key is a unique identifier for the data + value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: JMESPath is an optional JSON Match Expression + that can be used to transform the JSON response returned + from the server. For example a JMESPath of "items | length(@)" + applied to the API server response for the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments across all + namespaces. + type: string + method: + default: GET + description: Method is the HTTP request type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a JSON web service + properties: + caBundle: + description: CABundle is a PEM encoded CA bundle which + will be used to validate the server certificate. + type: string + url: + description: URL is the JSON web service URL. A typical + form is `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: URLPath is the URL path to be used in the HTTP + GET or POST request to the Kubernetes API server (e.g. + "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl + get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests to an OCI/Docker + V2 registry to fetch image details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure access + to a registry. + type: boolean + providers: + description: 'Providers specifies a list of OCI Registry + names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github.' + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: Secrets specifies a list of secrets that + are provided for credentials. Secrets must live in + the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: JMESPath is an optional JSON Match Expression + that can be used to transform the ImageData struct returned + as a result of processing the image reference. + type: string + reference: + description: 'Reference is image reference to a container + image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath context + variable that can be defined inline. + properties: + default: + description: Default is an optional arbitrary JSON object + that the variable may take if the JMESPath expression + evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional JMESPath Expression + that can be used to transform the variable. + type: string + value: + description: Value is any arbitrary JSON object representable + in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + exclude: + description: ExcludeResources defines when cleanuppolicy should not + be applied. The exclude criteria can include resource information + (e.g. kind, name, namespace, labels) and admission review request + information like the name or role. + properties: + all: + description: All allows specifying resources which will be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value + pairs of type string). Annotation keys and values + support the wildcard characters "*" (matches zero + or many characters) and "?" (matches at least one + character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` + (matches zero or many characters) and `?` (matches + one character).Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys + and values in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` (matches + one character). Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: Subject contains a reference to the object + or user identities a role binding applies to. This + can either hold a direct API object reference, or a + value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced + subject. Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User + and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values + defined by this API group are "User", "Group", and + "ServiceAccount". If the Authorizer does not recognized + the kind value, the Authorizer should report an + error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as "User" + or "Group", and this value is not empty the Authorizer + should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value + pairs of type string). Annotation keys and values + support the wildcard characters "*" (matches zero + or many characters) and "?" (matches at least one + character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` + (matches zero or many characters) and `?` (matches + one character).Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys + and values in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` (matches + one character). Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: Subject contains a reference to the object + or user identities a role binding applies to. This + can either hold a direct API object reference, or a + value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced + subject. Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User + and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values + defined by this API group are "User", "Group", and + "ServiceAccount". If the Authorizer does not recognized + the kind value, the Authorizer should report an + error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as "User" + or "Group", and this value is not empty the Authorizer + should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + match: + description: MatchResources defines when cleanuppolicy should be applied. + The match criteria can include resource information (e.g. kind, + name, namespace, labels) and admission review request information + like the user name or role. At least one kind is required. + properties: + all: + description: All allows specifying resources which will be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value + pairs of type string). Annotation keys and values + support the wildcard characters "*" (matches zero + or many characters) and "?" (matches at least one + character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` + (matches zero or many characters) and `?` (matches + one character).Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys + and values in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` (matches + one character). Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: Subject contains a reference to the object + or user identities a role binding applies to. This + can either hold a direct API object reference, or a + value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced + subject. Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User + and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values + defined by this API group are "User", "Group", and + "ServiceAccount". If the Authorizer does not recognized + the kind value, the Authorizer should report an + error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as "User" + or "Group", and this value is not empty the Authorizer + should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value + pairs of type string). Annotation keys and values + support the wildcard characters "*" (matches zero + or many characters) and "?" (matches at least one + character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` + (matches zero or many characters) and `?` (matches + one character).Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys + and values in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` (matches + one character). Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: Subject contains a reference to the object + or user identities a role binding applies to. This + can either hold a direct API object reference, or a + value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced + subject. Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User + and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values + defined by this API group are "User", "Group", and + "ServiceAccount". If the Authorizer does not recognized + the kind value, the Authorizer should report an + error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as "User" + or "Group", and this value is not empty the Authorizer + should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + schedule: + description: The schedule in Cron format + type: string + required: + - schedule + type: object + status: + description: Status contains policy runtime data. + properties: + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastExecutionTime: + format: date-time + type: string + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} - additionalPrinterColumns: - jsonPath: .spec.schedule name: Schedule @@ -5198,6 +6439,1247 @@ spec: singular: clustercleanuppolicy scope: Cluster versions: + - additionalPrinterColumns: + - jsonPath: .spec.schedule + name: Schedule + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2 + schema: + openAPIV3Schema: + description: ClusterCleanupPolicy defines rule for resource cleanup. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec declares policy behaviors. + properties: + conditions: + description: Conditions defines the conditions used to select the + resources which will be cleaned up. + properties: + all: + description: AllConditions enable variable-based conditional rule + execution. This is useful for finer control of when an rule + is applied. A condition can reference object data using JMESPath + notation. Here, all of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) for + conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: 'Operator is the conditional operation to perform. + Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, + NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, + LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, + DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, or set of values. + The values can be fixed set or can be variables declared + using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based conditional rule + execution. This is useful for finer control of when an rule + is applied. A condition can reference object data using JMESPath + notation. Here, at least one of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) for + conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: 'Operator is the conditional operation to perform. + Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, + NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, + LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, + DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, or set of values. + The values can be fixed set or can be variables declared + using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + context: + description: Context defines variables and data sources that can be + used during rule execution. + items: + description: ContextEntry adds variables and data sources to a rule + Context. Either a ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: APICall is an HTTP request to the Kubernetes API + server, or other JSON web service. The data returned is stored + in the context with the name for the context entry. + properties: + data: + description: Data specifies the POST data sent to the server. + items: + description: RequestData contains the HTTP POST data + properties: + key: + description: Key is a unique identifier for the data + value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: JMESPath is an optional JSON Match Expression + that can be used to transform the JSON response returned + from the server. For example a JMESPath of "items | length(@)" + applied to the API server response for the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments across all + namespaces. + type: string + method: + default: GET + description: Method is the HTTP request type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a JSON web service + properties: + caBundle: + description: CABundle is a PEM encoded CA bundle which + will be used to validate the server certificate. + type: string + url: + description: URL is the JSON web service URL. A typical + form is `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: URLPath is the URL path to be used in the HTTP + GET or POST request to the Kubernetes API server (e.g. + "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl + get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests to an OCI/Docker + V2 registry to fetch image details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure access + to a registry. + type: boolean + providers: + description: 'Providers specifies a list of OCI Registry + names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github.' + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: Secrets specifies a list of secrets that + are provided for credentials. Secrets must live in + the Kyverno namespace. + items: + type: string + type: array + type: object + jmesPath: + description: JMESPath is an optional JSON Match Expression + that can be used to transform the ImageData struct returned + as a result of processing the image reference. + type: string + reference: + description: 'Reference is image reference to a container + image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath context + variable that can be defined inline. + properties: + default: + description: Default is an optional arbitrary JSON object + that the variable may take if the JMESPath expression + evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional JMESPath Expression + that can be used to transform the variable. + type: string + value: + description: Value is any arbitrary JSON object representable + in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + exclude: + description: ExcludeResources defines when cleanuppolicy should not + be applied. The exclude criteria can include resource information + (e.g. kind, name, namespace, labels) and admission review request + information like the name or role. + properties: + all: + description: All allows specifying resources which will be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value + pairs of type string). Annotation keys and values + support the wildcard characters "*" (matches zero + or many characters) and "?" (matches at least one + character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` + (matches zero or many characters) and `?` (matches + one character).Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys + and values in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` (matches + one character). Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: Subject contains a reference to the object + or user identities a role binding applies to. This + can either hold a direct API object reference, or a + value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced + subject. Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User + and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values + defined by this API group are "User", "Group", and + "ServiceAccount". If the Authorizer does not recognized + the kind value, the Authorizer should report an + error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as "User" + or "Group", and this value is not empty the Authorizer + should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value + pairs of type string). Annotation keys and values + support the wildcard characters "*" (matches zero + or many characters) and "?" (matches at least one + character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` + (matches zero or many characters) and `?` (matches + one character).Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys + and values in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` (matches + one character). Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: Subject contains a reference to the object + or user identities a role binding applies to. This + can either hold a direct API object reference, or a + value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced + subject. Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User + and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values + defined by this API group are "User", "Group", and + "ServiceAccount". If the Authorizer does not recognized + the kind value, the Authorizer should report an + error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as "User" + or "Group", and this value is not empty the Authorizer + should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + match: + description: MatchResources defines when cleanuppolicy should be applied. + The match criteria can include resource information (e.g. kind, + name, namespace, labels) and admission review request information + like the user name or role. At least one kind is required. + properties: + all: + description: All allows specifying resources which will be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value + pairs of type string). Annotation keys and values + support the wildcard characters "*" (matches zero + or many characters) and "?" (matches at least one + character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` + (matches zero or many characters) and `?` (matches + one character).Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys + and values in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` (matches + one character). Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: Subject contains a reference to the object + or user identities a role binding applies to. This + can either hold a direct API object reference, or a + value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced + subject. Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User + and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values + defined by this API group are "User", "Group", and + "ServiceAccount". If the Authorizer does not recognized + the kind value, the Authorizer should report an + error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as "User" + or "Group", and this value is not empty the Authorizer + should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" between + resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value + pairs of type string). Annotation keys and values + support the wildcard characters "*" (matches zero + or many characters) and "?" (matches at least one + character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` + (matches zero or many characters) and `?` (matches + one character).Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys + and values in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` (matches + one character). Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: Subject contains a reference to the object + or user identities a role binding applies to. This + can either hold a direct API object reference, or a + value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced + subject. Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User + and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values + defined by this API group are "User", "Group", and + "ServiceAccount". If the Authorizer does not recognized + the kind value, the Authorizer should report an + error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as "User" + or "Group", and this value is not empty the Authorizer + should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + schedule: + description: The schedule in Cron format + type: string + required: + - schedule + type: object + status: + description: Status contains policy runtime data. + properties: + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastExecutionTime: + format: date-time + type: string + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} - additionalPrinterColumns: - jsonPath: .spec.schedule name: Schedule diff --git a/docs/user/crd/index.html b/docs/user/crd/index.html index 79def009e2..425405331c 100644 --- a/docs/user/crd/index.html +++ b/docs/user/crd/index.html @@ -1373,6 +1373,7 @@ string ForEachValidation, Rule, TargetResourceSpec, +CleanupPolicySpec, CleanupPolicySpec, Rule)

@@ -3226,6 +3227,7 @@ ResourceDescription

(Appears on: MatchResources, +MatchResources, MatchResources)

@@ -5334,10 +5336,14 @@ Resource Types:

  • BackgroundScanReport
  • +CleanupPolicy +
  • ClusterAdmissionReport
  • ClusterBackgroundScanReport
  • +ClusterCleanupPolicy +
  • PolicyException
    • @@ -5536,6 +5542,155 @@ PolicyReportSummary
    +

    CleanupPolicy +

    +

    +

    CleanupPolicy defines a rule for resource cleanup.

    +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    +apiVersion
    +string    		 + +kyverno.io/v2 + +
    +kind
    +string +    		CleanupPolicy
    +metadata
    + + +Kubernetes meta/v1.ObjectMeta + + +    		 +Refer to the Kubernetes API documentation for the fields of the +metadata field. +
    +spec
    + + +CleanupPolicySpec + + +    		 +

    Spec declares policy behaviors.

    +
    +
    + + + + + + + + + + + + + + + + + + + + + +
    +context
    + + +[]ContextEntry + + +    		 +(Optional) +

    Context defines variables and data sources that can be used during rule execution.

    +
    +match
    + + +MatchResources + + +    		 +

    MatchResources defines when cleanuppolicy should be applied. The match +criteria can include resource information (e.g. kind, name, namespace, labels) +and admission review request information like the user name or role. +At least one kind is required.

    +
    +exclude
    + + +MatchResources + + +    		 +(Optional) +

    ExcludeResources defines when cleanuppolicy should not be applied. The exclude +criteria can include resource information (e.g. kind, name, namespace, labels) +and admission review request information like the name or role.

    +
    +schedule
    + +string + +    		 +

    The schedule in Cron format

    +
    +conditions
    + + +AnyAllConditions + + +    		 +(Optional) +

    Conditions defines the conditions used to select the resources which will be cleaned up.

    +
    +
    +status
    + + +CleanupPolicyStatus + + +    		 +(Optional) +

    Status contains policy runtime data.

    +
    +

    ClusterAdmissionReport

    @@ -5731,6 +5886,155 @@ PolicyReportSummary

    +

    ClusterCleanupPolicy +

    +

    +

    ClusterCleanupPolicy defines rule for resource cleanup.

    +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    +apiVersion
    +string    		 + +kyverno.io/v2 + +
    +kind
    +string +    		ClusterCleanupPolicy
    +metadata
    + + +Kubernetes meta/v1.ObjectMeta + + +    		 +Refer to the Kubernetes API documentation for the fields of the +metadata field. +
    +spec
    + + +CleanupPolicySpec + + +    		 +

    Spec declares policy behaviors.

    +
    +
    + + + + + + + + + + + + + + + + + + + + + +
    +context
    + + +[]ContextEntry + + +    		 +(Optional) +

    Context defines variables and data sources that can be used during rule execution.

    +
    +match
    + + +MatchResources + + +    		 +

    MatchResources defines when cleanuppolicy should be applied. The match +criteria can include resource information (e.g. kind, name, namespace, labels) +and admission review request information like the user name or role. +At least one kind is required.

    +
    +exclude
    + + +MatchResources + + +    		 +(Optional) +

    ExcludeResources defines when cleanuppolicy should not be applied. The exclude +criteria can include resource information (e.g. kind, name, namespace, labels) +and admission review request information like the name or role.

    +
    +schedule
    + +string + +    		 +

    The schedule in Cron format

    +
    +conditions
    + + +AnyAllConditions + + +    		 +(Optional) +

    Conditions defines the conditions used to select the resources which will be cleaned up.

    +
    +
    +status
    + + +CleanupPolicyStatus + + +    		 +(Optional) +

    Status contains policy runtime data.

    +
    +

    PolicyException

    @@ -5912,6 +6216,59 @@ PolicyReportSummary

    +

    AnyAllConditions +

    +

    +(Appears on: +CleanupPolicySpec) +

    +

    +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    +any
    + + +[]Condition + + +    		 +(Optional) +

    AnyConditions enable variable-based conditional rule execution. This is useful for +finer control of when an rule is applied. A condition can reference object data +using JMESPath notation. +Here, at least one of the conditions need to pass.

    +
    +all
    + + +[]Condition + + +    		 +(Optional) +

    AllConditions enable variable-based conditional rule execution. This is useful for +finer control of when an rule is applied. A condition can reference object data +using JMESPath notation. +Here, all of the conditions need to pass.

    +
    +

    BackgroundScanReportSpec

    @@ -5962,6 +6319,227 @@ PolicyReportSummary

    +

    CleanupPolicySpec +

    +

    +(Appears on: +CleanupPolicy, +ClusterCleanupPolicy) +

    +

    +

    CleanupPolicySpec stores specifications for selecting resources that the user needs to delete +and schedule when the matching resources needs deleted.

    +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    +context
    + + +[]ContextEntry + + +    		 +(Optional) +

    Context defines variables and data sources that can be used during rule execution.

    +
    +match
    + + +MatchResources + + +    		 +

    MatchResources defines when cleanuppolicy should be applied. The match +criteria can include resource information (e.g. kind, name, namespace, labels) +and admission review request information like the user name or role. +At least one kind is required.

    +
    +exclude
    + + +MatchResources + + +    		 +(Optional) +

    ExcludeResources defines when cleanuppolicy should not be applied. The exclude +criteria can include resource information (e.g. kind, name, namespace, labels) +and admission review request information like the name or role.

    +
    +schedule
    + +string + +    		 +

    The schedule in Cron format

    +
    +conditions
    + + +AnyAllConditions + + +    		 +(Optional) +

    Conditions defines the conditions used to select the resources which will be cleaned up.

    +
    +
    +

    CleanupPolicyStatus +

    +

    +(Appears on: +CleanupPolicy, +ClusterCleanupPolicy) +

    +

    +

    CleanupPolicyStatus stores the status of the policy.

    +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    +conditions
    + + +[]Kubernetes meta/v1.Condition + + +    		 +
    +lastExecutionTime
    + + +Kubernetes meta/v1.Time + + +    		 +
    +
    +

    Condition +

    +

    +(Appears on: +AnyAllConditions) +

    +

    +

    + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    +key
    + + +Kubernetes apiextensions/v1.JSON + + +    		 +

    Key is the context entry (using JMESPath) for conditional rule evaluation.

    +
    +operator
    + + +ConditionOperator + + +    		 +

    Operator is the conditional operation to perform. Valid operators are: +Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, +GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, +DurationLessThanOrEquals, DurationLessThan

    +
    +value
    + + +Kubernetes apiextensions/v1.JSON + + +    		 +(Optional) +

    Value is the conditional value, or set of values. The values can be fixed set +or can be variables declared using JMESPath.

    +
    +message
    + +string + +    		 +

    Message is an optional display message

    +
    +
    +

    ConditionOperator +(string alias)

    +

    +(Appears on: +Condition) +

    +

    +

    ConditionOperator is the operation performed on condition key and value.

    +

    Exception

    @@ -6006,6 +6584,55 @@ references a ClusterPolicy.

    +

    MatchResources +

    +

    +(Appears on: +CleanupPolicySpec) +

    +

    +

    MatchResources is used to specify resource and admission review request data for +which a policy rule is applicable.

    +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    +any
    + + +ResourceFilters + + +    		 +(Optional) +

    Any allows specifying resources which will be ORed

    +
    +all
    + + +ResourceFilters + + +    		 +(Optional) +

    All allows specifying resources which will be ANDed

    +
    +

    PolicyExceptionSpec

    diff --git a/pkg/client/applyconfigurations/kyverno/v2/anyallconditions.go b/pkg/client/applyconfigurations/kyverno/v2/anyallconditions.go new file mode 100644 index 0000000000..3a8b081583 --- /dev/null +++ b/pkg/client/applyconfigurations/kyverno/v2/anyallconditions.go @@ -0,0 +1,58 @@ +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v2 + +// AnyAllConditionsApplyConfiguration represents an declarative configuration of the AnyAllConditions type for use +// with apply. +type AnyAllConditionsApplyConfiguration struct { + AnyConditions []ConditionApplyConfiguration `json:"any,omitempty"` + AllConditions []ConditionApplyConfiguration `json:"all,omitempty"` +} + +// AnyAllConditionsApplyConfiguration constructs an declarative configuration of the AnyAllConditions type for use with +// apply. +func AnyAllConditions() *AnyAllConditionsApplyConfiguration { + return &AnyAllConditionsApplyConfiguration{} +} + +// WithAnyConditions adds the given value to the AnyConditions field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the AnyConditions field. +func (b *AnyAllConditionsApplyConfiguration) WithAnyConditions(values ...*ConditionApplyConfiguration) *AnyAllConditionsApplyConfiguration { + for i := range values { + if values[i] == nil { + panic("nil value passed to WithAnyConditions") + } + b.AnyConditions = append(b.AnyConditions, *values[i]) + } + return b +} + +// WithAllConditions adds the given value to the AllConditions field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the AllConditions field. +func (b *AnyAllConditionsApplyConfiguration) WithAllConditions(values ...*ConditionApplyConfiguration) *AnyAllConditionsApplyConfiguration { + for i := range values { + if values[i] == nil { + panic("nil value passed to WithAllConditions") + } + b.AllConditions = append(b.AllConditions, *values[i]) + } + return b +} diff --git a/pkg/client/applyconfigurations/kyverno/v2/cleanuppolicy.go b/pkg/client/applyconfigurations/kyverno/v2/cleanuppolicy.go new file mode 100644 index 0000000000..f1d49d909d --- /dev/null +++ b/pkg/client/applyconfigurations/kyverno/v2/cleanuppolicy.go @@ -0,0 +1,219 @@ +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v2 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + v1 "k8s.io/client-go/applyconfigurations/meta/v1" +) + +// CleanupPolicyApplyConfiguration represents an declarative configuration of the CleanupPolicy type for use +// with apply. +type CleanupPolicyApplyConfiguration struct { + v1.TypeMetaApplyConfiguration `json:",omitempty,inline"` + *v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"` + Spec *CleanupPolicySpecApplyConfiguration `json:"spec,omitempty"` + Status *CleanupPolicyStatusApplyConfiguration `json:"status,omitempty"` +} + +// CleanupPolicy constructs an declarative configuration of the CleanupPolicy type for use with +// apply. +func CleanupPolicy(name, namespace string) *CleanupPolicyApplyConfiguration { + b := &CleanupPolicyApplyConfiguration{} + b.WithName(name) + b.WithNamespace(namespace) + b.WithKind("CleanupPolicy") + b.WithAPIVersion("kyverno.io/v2") + return b +} + +// WithKind sets the Kind field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Kind field is set to the value of the last call. +func (b *CleanupPolicyApplyConfiguration) WithKind(value string) *CleanupPolicyApplyConfiguration { + b.Kind = &value + return b +} + +// WithAPIVersion sets the APIVersion field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the APIVersion field is set to the value of the last call. +func (b *CleanupPolicyApplyConfiguration) WithAPIVersion(value string) *CleanupPolicyApplyConfiguration { + b.APIVersion = &value + return b +} + +// WithName sets the Name field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Name field is set to the value of the last call. +func (b *CleanupPolicyApplyConfiguration) WithName(value string) *CleanupPolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.Name = &value + return b +} + +// WithGenerateName sets the GenerateName field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the GenerateName field is set to the value of the last call. +func (b *CleanupPolicyApplyConfiguration) WithGenerateName(value string) *CleanupPolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.GenerateName = &value + return b +} + +// WithNamespace sets the Namespace field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Namespace field is set to the value of the last call. +func (b *CleanupPolicyApplyConfiguration) WithNamespace(value string) *CleanupPolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.Namespace = &value + return b +} + +// WithUID sets the UID field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the UID field is set to the value of the last call. +func (b *CleanupPolicyApplyConfiguration) WithUID(value types.UID) *CleanupPolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.UID = &value + return b +} + +// WithResourceVersion sets the ResourceVersion field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the ResourceVersion field is set to the value of the last call. +func (b *CleanupPolicyApplyConfiguration) WithResourceVersion(value string) *CleanupPolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.ResourceVersion = &value + return b +} + +// WithGeneration sets the Generation field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Generation field is set to the value of the last call. +func (b *CleanupPolicyApplyConfiguration) WithGeneration(value int64) *CleanupPolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.Generation = &value + return b +} + +// WithCreationTimestamp sets the CreationTimestamp field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the CreationTimestamp field is set to the value of the last call. +func (b *CleanupPolicyApplyConfiguration) WithCreationTimestamp(value metav1.Time) *CleanupPolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.CreationTimestamp = &value + return b +} + +// WithDeletionTimestamp sets the DeletionTimestamp field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the DeletionTimestamp field is set to the value of the last call. +func (b *CleanupPolicyApplyConfiguration) WithDeletionTimestamp(value metav1.Time) *CleanupPolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.DeletionTimestamp = &value + return b +} + +// WithDeletionGracePeriodSeconds sets the DeletionGracePeriodSeconds field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the DeletionGracePeriodSeconds field is set to the value of the last call. +func (b *CleanupPolicyApplyConfiguration) WithDeletionGracePeriodSeconds(value int64) *CleanupPolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.DeletionGracePeriodSeconds = &value + return b +} + +// WithLabels puts the entries into the Labels field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, the entries provided by each call will be put on the Labels field, +// overwriting an existing map entries in Labels field with the same key. +func (b *CleanupPolicyApplyConfiguration) WithLabels(entries map[string]string) *CleanupPolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + if b.Labels == nil && len(entries) > 0 { + b.Labels = make(map[string]string, len(entries)) + } + for k, v := range entries { + b.Labels[k] = v + } + return b +} + +// WithAnnotations puts the entries into the Annotations field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, the entries provided by each call will be put on the Annotations field, +// overwriting an existing map entries in Annotations field with the same key. +func (b *CleanupPolicyApplyConfiguration) WithAnnotations(entries map[string]string) *CleanupPolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + if b.Annotations == nil && len(entries) > 0 { + b.Annotations = make(map[string]string, len(entries)) + } + for k, v := range entries { + b.Annotations[k] = v + } + return b +} + +// WithOwnerReferences adds the given value to the OwnerReferences field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the OwnerReferences field. +func (b *CleanupPolicyApplyConfiguration) WithOwnerReferences(values ...*v1.OwnerReferenceApplyConfiguration) *CleanupPolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + for i := range values { + if values[i] == nil { + panic("nil value passed to WithOwnerReferences") + } + b.OwnerReferences = append(b.OwnerReferences, *values[i]) + } + return b +} + +// WithFinalizers adds the given value to the Finalizers field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the Finalizers field. +func (b *CleanupPolicyApplyConfiguration) WithFinalizers(values ...string) *CleanupPolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + for i := range values { + b.Finalizers = append(b.Finalizers, values[i]) + } + return b +} + +func (b *CleanupPolicyApplyConfiguration) ensureObjectMetaApplyConfigurationExists() { + if b.ObjectMetaApplyConfiguration == nil { + b.ObjectMetaApplyConfiguration = &v1.ObjectMetaApplyConfiguration{} + } +} + +// WithSpec sets the Spec field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Spec field is set to the value of the last call. +func (b *CleanupPolicyApplyConfiguration) WithSpec(value *CleanupPolicySpecApplyConfiguration) *CleanupPolicyApplyConfiguration { + b.Spec = value + return b +} + +// WithStatus sets the Status field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Status field is set to the value of the last call. +func (b *CleanupPolicyApplyConfiguration) WithStatus(value *CleanupPolicyStatusApplyConfiguration) *CleanupPolicyApplyConfiguration { + b.Status = value + return b +} diff --git a/pkg/client/applyconfigurations/kyverno/v2/cleanuppolicyspec.go b/pkg/client/applyconfigurations/kyverno/v2/cleanuppolicyspec.go new file mode 100644 index 0000000000..acbbba3bfc --- /dev/null +++ b/pkg/client/applyconfigurations/kyverno/v2/cleanuppolicyspec.go @@ -0,0 +1,84 @@ +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v2 + +import ( + v1 "github.com/kyverno/kyverno/pkg/client/applyconfigurations/kyverno/v1" +) + +// CleanupPolicySpecApplyConfiguration represents an declarative configuration of the CleanupPolicySpec type for use +// with apply. +type CleanupPolicySpecApplyConfiguration struct { + Context []v1.ContextEntryApplyConfiguration `json:"context,omitempty"` + MatchResources *MatchResourcesApplyConfiguration `json:"match,omitempty"` + ExcludeResources *MatchResourcesApplyConfiguration `json:"exclude,omitempty"` + Schedule *string `json:"schedule,omitempty"` + Conditions *AnyAllConditionsApplyConfiguration `json:"conditions,omitempty"` +} + +// CleanupPolicySpecApplyConfiguration constructs an declarative configuration of the CleanupPolicySpec type for use with +// apply. +func CleanupPolicySpec() *CleanupPolicySpecApplyConfiguration { + return &CleanupPolicySpecApplyConfiguration{} +} + +// WithContext adds the given value to the Context field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the Context field. +func (b *CleanupPolicySpecApplyConfiguration) WithContext(values ...*v1.ContextEntryApplyConfiguration) *CleanupPolicySpecApplyConfiguration { + for i := range values { + if values[i] == nil { + panic("nil value passed to WithContext") + } + b.Context = append(b.Context, *values[i]) + } + return b +} + +// WithMatchResources sets the MatchResources field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the MatchResources field is set to the value of the last call. +func (b *CleanupPolicySpecApplyConfiguration) WithMatchResources(value *MatchResourcesApplyConfiguration) *CleanupPolicySpecApplyConfiguration { + b.MatchResources = value + return b +} + +// WithExcludeResources sets the ExcludeResources field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the ExcludeResources field is set to the value of the last call. +func (b *CleanupPolicySpecApplyConfiguration) WithExcludeResources(value *MatchResourcesApplyConfiguration) *CleanupPolicySpecApplyConfiguration { + b.ExcludeResources = value + return b +} + +// WithSchedule sets the Schedule field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Schedule field is set to the value of the last call. +func (b *CleanupPolicySpecApplyConfiguration) WithSchedule(value string) *CleanupPolicySpecApplyConfiguration { + b.Schedule = &value + return b +} + +// WithConditions sets the Conditions field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Conditions field is set to the value of the last call. +func (b *CleanupPolicySpecApplyConfiguration) WithConditions(value *AnyAllConditionsApplyConfiguration) *CleanupPolicySpecApplyConfiguration { + b.Conditions = value + return b +} diff --git a/pkg/client/applyconfigurations/kyverno/v2/cleanuppolicystatus.go b/pkg/client/applyconfigurations/kyverno/v2/cleanuppolicystatus.go new file mode 100644 index 0000000000..42471820f5 --- /dev/null +++ b/pkg/client/applyconfigurations/kyverno/v2/cleanuppolicystatus.go @@ -0,0 +1,54 @@ +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v2 + +import ( + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// CleanupPolicyStatusApplyConfiguration represents an declarative configuration of the CleanupPolicyStatus type for use +// with apply. +type CleanupPolicyStatusApplyConfiguration struct { + Conditions []v1.Condition `json:"conditions,omitempty"` + LastExecutionTime *v1.Time `json:"lastExecutionTime,omitempty"` +} + +// CleanupPolicyStatusApplyConfiguration constructs an declarative configuration of the CleanupPolicyStatus type for use with +// apply. +func CleanupPolicyStatus() *CleanupPolicyStatusApplyConfiguration { + return &CleanupPolicyStatusApplyConfiguration{} +} + +// WithConditions adds the given value to the Conditions field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the Conditions field. +func (b *CleanupPolicyStatusApplyConfiguration) WithConditions(values ...v1.Condition) *CleanupPolicyStatusApplyConfiguration { + for i := range values { + b.Conditions = append(b.Conditions, values[i]) + } + return b +} + +// WithLastExecutionTime sets the LastExecutionTime field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the LastExecutionTime field is set to the value of the last call. +func (b *CleanupPolicyStatusApplyConfiguration) WithLastExecutionTime(value v1.Time) *CleanupPolicyStatusApplyConfiguration { + b.LastExecutionTime = &value + return b +} diff --git a/pkg/client/applyconfigurations/kyverno/v2/clustercleanuppolicy.go b/pkg/client/applyconfigurations/kyverno/v2/clustercleanuppolicy.go new file mode 100644 index 0000000000..399cbf0c7b --- /dev/null +++ b/pkg/client/applyconfigurations/kyverno/v2/clustercleanuppolicy.go @@ -0,0 +1,218 @@ +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v2 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + v1 "k8s.io/client-go/applyconfigurations/meta/v1" +) + +// ClusterCleanupPolicyApplyConfiguration represents an declarative configuration of the ClusterCleanupPolicy type for use +// with apply. +type ClusterCleanupPolicyApplyConfiguration struct { + v1.TypeMetaApplyConfiguration `json:",omitempty,inline"` + *v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"` + Spec *CleanupPolicySpecApplyConfiguration `json:"spec,omitempty"` + Status *CleanupPolicyStatusApplyConfiguration `json:"status,omitempty"` +} + +// ClusterCleanupPolicy constructs an declarative configuration of the ClusterCleanupPolicy type for use with +// apply. +func ClusterCleanupPolicy(name string) *ClusterCleanupPolicyApplyConfiguration { + b := &ClusterCleanupPolicyApplyConfiguration{} + b.WithName(name) + b.WithKind("ClusterCleanupPolicy") + b.WithAPIVersion("kyverno.io/v2") + return b +} + +// WithKind sets the Kind field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Kind field is set to the value of the last call. +func (b *ClusterCleanupPolicyApplyConfiguration) WithKind(value string) *ClusterCleanupPolicyApplyConfiguration { + b.Kind = &value + return b +} + +// WithAPIVersion sets the APIVersion field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the APIVersion field is set to the value of the last call. +func (b *ClusterCleanupPolicyApplyConfiguration) WithAPIVersion(value string) *ClusterCleanupPolicyApplyConfiguration { + b.APIVersion = &value + return b +} + +// WithName sets the Name field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Name field is set to the value of the last call. +func (b *ClusterCleanupPolicyApplyConfiguration) WithName(value string) *ClusterCleanupPolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.Name = &value + return b +} + +// WithGenerateName sets the GenerateName field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the GenerateName field is set to the value of the last call. +func (b *ClusterCleanupPolicyApplyConfiguration) WithGenerateName(value string) *ClusterCleanupPolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.GenerateName = &value + return b +} + +// WithNamespace sets the Namespace field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Namespace field is set to the value of the last call. +func (b *ClusterCleanupPolicyApplyConfiguration) WithNamespace(value string) *ClusterCleanupPolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.Namespace = &value + return b +} + +// WithUID sets the UID field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the UID field is set to the value of the last call. +func (b *ClusterCleanupPolicyApplyConfiguration) WithUID(value types.UID) *ClusterCleanupPolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.UID = &value + return b +} + +// WithResourceVersion sets the ResourceVersion field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the ResourceVersion field is set to the value of the last call. +func (b *ClusterCleanupPolicyApplyConfiguration) WithResourceVersion(value string) *ClusterCleanupPolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.ResourceVersion = &value + return b +} + +// WithGeneration sets the Generation field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Generation field is set to the value of the last call. +func (b *ClusterCleanupPolicyApplyConfiguration) WithGeneration(value int64) *ClusterCleanupPolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.Generation = &value + return b +} + +// WithCreationTimestamp sets the CreationTimestamp field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the CreationTimestamp field is set to the value of the last call. +func (b *ClusterCleanupPolicyApplyConfiguration) WithCreationTimestamp(value metav1.Time) *ClusterCleanupPolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.CreationTimestamp = &value + return b +} + +// WithDeletionTimestamp sets the DeletionTimestamp field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the DeletionTimestamp field is set to the value of the last call. +func (b *ClusterCleanupPolicyApplyConfiguration) WithDeletionTimestamp(value metav1.Time) *ClusterCleanupPolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.DeletionTimestamp = &value + return b +} + +// WithDeletionGracePeriodSeconds sets the DeletionGracePeriodSeconds field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the DeletionGracePeriodSeconds field is set to the value of the last call. +func (b *ClusterCleanupPolicyApplyConfiguration) WithDeletionGracePeriodSeconds(value int64) *ClusterCleanupPolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + b.DeletionGracePeriodSeconds = &value + return b +} + +// WithLabels puts the entries into the Labels field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, the entries provided by each call will be put on the Labels field, +// overwriting an existing map entries in Labels field with the same key. +func (b *ClusterCleanupPolicyApplyConfiguration) WithLabels(entries map[string]string) *ClusterCleanupPolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + if b.Labels == nil && len(entries) > 0 { + b.Labels = make(map[string]string, len(entries)) + } + for k, v := range entries { + b.Labels[k] = v + } + return b +} + +// WithAnnotations puts the entries into the Annotations field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, the entries provided by each call will be put on the Annotations field, +// overwriting an existing map entries in Annotations field with the same key. +func (b *ClusterCleanupPolicyApplyConfiguration) WithAnnotations(entries map[string]string) *ClusterCleanupPolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + if b.Annotations == nil && len(entries) > 0 { + b.Annotations = make(map[string]string, len(entries)) + } + for k, v := range entries { + b.Annotations[k] = v + } + return b +} + +// WithOwnerReferences adds the given value to the OwnerReferences field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the OwnerReferences field. +func (b *ClusterCleanupPolicyApplyConfiguration) WithOwnerReferences(values ...*v1.OwnerReferenceApplyConfiguration) *ClusterCleanupPolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + for i := range values { + if values[i] == nil { + panic("nil value passed to WithOwnerReferences") + } + b.OwnerReferences = append(b.OwnerReferences, *values[i]) + } + return b +} + +// WithFinalizers adds the given value to the Finalizers field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the Finalizers field. +func (b *ClusterCleanupPolicyApplyConfiguration) WithFinalizers(values ...string) *ClusterCleanupPolicyApplyConfiguration { + b.ensureObjectMetaApplyConfigurationExists() + for i := range values { + b.Finalizers = append(b.Finalizers, values[i]) + } + return b +} + +func (b *ClusterCleanupPolicyApplyConfiguration) ensureObjectMetaApplyConfigurationExists() { + if b.ObjectMetaApplyConfiguration == nil { + b.ObjectMetaApplyConfiguration = &v1.ObjectMetaApplyConfiguration{} + } +} + +// WithSpec sets the Spec field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Spec field is set to the value of the last call. +func (b *ClusterCleanupPolicyApplyConfiguration) WithSpec(value *CleanupPolicySpecApplyConfiguration) *ClusterCleanupPolicyApplyConfiguration { + b.Spec = value + return b +} + +// WithStatus sets the Status field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Status field is set to the value of the last call. +func (b *ClusterCleanupPolicyApplyConfiguration) WithStatus(value *CleanupPolicyStatusApplyConfiguration) *ClusterCleanupPolicyApplyConfiguration { + b.Status = value + return b +} diff --git a/pkg/client/applyconfigurations/kyverno/v2/condition.go b/pkg/client/applyconfigurations/kyverno/v2/condition.go new file mode 100644 index 0000000000..fe319c66f4 --- /dev/null +++ b/pkg/client/applyconfigurations/kyverno/v2/condition.go @@ -0,0 +1,71 @@ +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v2 + +import ( + v2 "github.com/kyverno/kyverno/api/kyverno/v2" + v1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" +) + +// ConditionApplyConfiguration represents an declarative configuration of the Condition type for use +// with apply. +type ConditionApplyConfiguration struct { + RawKey *v1.JSON `json:"key,omitempty"` + Operator *v2.ConditionOperator `json:"operator,omitempty"` + RawValue *v1.JSON `json:"value,omitempty"` + Message *string `json:"message,omitempty"` +} + +// ConditionApplyConfiguration constructs an declarative configuration of the Condition type for use with +// apply. +func Condition() *ConditionApplyConfiguration { + return &ConditionApplyConfiguration{} +} + +// WithRawKey sets the RawKey field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the RawKey field is set to the value of the last call. +func (b *ConditionApplyConfiguration) WithRawKey(value v1.JSON) *ConditionApplyConfiguration { + b.RawKey = &value + return b +} + +// WithOperator sets the Operator field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Operator field is set to the value of the last call. +func (b *ConditionApplyConfiguration) WithOperator(value v2.ConditionOperator) *ConditionApplyConfiguration { + b.Operator = &value + return b +} + +// WithRawValue sets the RawValue field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the RawValue field is set to the value of the last call. +func (b *ConditionApplyConfiguration) WithRawValue(value v1.JSON) *ConditionApplyConfiguration { + b.RawValue = &value + return b +} + +// WithMessage sets the Message field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Message field is set to the value of the last call. +func (b *ConditionApplyConfiguration) WithMessage(value string) *ConditionApplyConfiguration { + b.Message = &value + return b +} diff --git a/pkg/client/applyconfigurations/kyverno/v2/matchresources.go b/pkg/client/applyconfigurations/kyverno/v2/matchresources.go new file mode 100644 index 0000000000..6d5fe8ab03 --- /dev/null +++ b/pkg/client/applyconfigurations/kyverno/v2/matchresources.go @@ -0,0 +1,52 @@ +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v2 + +import ( + v1 "github.com/kyverno/kyverno/api/kyverno/v1" +) + +// MatchResourcesApplyConfiguration represents an declarative configuration of the MatchResources type for use +// with apply. +type MatchResourcesApplyConfiguration struct { + Any *v1.ResourceFilters `json:"any,omitempty"` + All *v1.ResourceFilters `json:"all,omitempty"` +} + +// MatchResourcesApplyConfiguration constructs an declarative configuration of the MatchResources type for use with +// apply. +func MatchResources() *MatchResourcesApplyConfiguration { + return &MatchResourcesApplyConfiguration{} +} + +// WithAny sets the Any field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Any field is set to the value of the last call. +func (b *MatchResourcesApplyConfiguration) WithAny(value v1.ResourceFilters) *MatchResourcesApplyConfiguration { + b.Any = &value + return b +} + +// WithAll sets the All field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the All field is set to the value of the last call. +func (b *MatchResourcesApplyConfiguration) WithAll(value v1.ResourceFilters) *MatchResourcesApplyConfiguration { + b.All = &value + return b +} diff --git a/pkg/client/applyconfigurations/utils.go b/pkg/client/applyconfigurations/utils.go index 3829bc2e74..f307e02b09 100644 --- a/pkg/client/applyconfigurations/utils.go +++ b/pkg/client/applyconfigurations/utils.go @@ -171,16 +171,30 @@ func ForKind(kind schema.GroupVersionKind) interface{} { return &kyvernov2.AdmissionReportApplyConfiguration{} case v2.SchemeGroupVersion.WithKind("AdmissionReportSpec"): return &kyvernov2.AdmissionReportSpecApplyConfiguration{} + case v2.SchemeGroupVersion.WithKind("AnyAllConditions"): + return &kyvernov2.AnyAllConditionsApplyConfiguration{} case v2.SchemeGroupVersion.WithKind("BackgroundScanReport"): return &kyvernov2.BackgroundScanReportApplyConfiguration{} case v2.SchemeGroupVersion.WithKind("BackgroundScanReportSpec"): return &kyvernov2.BackgroundScanReportSpecApplyConfiguration{} + case v2.SchemeGroupVersion.WithKind("CleanupPolicy"): + return &kyvernov2.CleanupPolicyApplyConfiguration{} + case v2.SchemeGroupVersion.WithKind("CleanupPolicySpec"): + return &kyvernov2.CleanupPolicySpecApplyConfiguration{} + case v2.SchemeGroupVersion.WithKind("CleanupPolicyStatus"): + return &kyvernov2.CleanupPolicyStatusApplyConfiguration{} case v2.SchemeGroupVersion.WithKind("ClusterAdmissionReport"): return &kyvernov2.ClusterAdmissionReportApplyConfiguration{} case v2.SchemeGroupVersion.WithKind("ClusterBackgroundScanReport"): return &kyvernov2.ClusterBackgroundScanReportApplyConfiguration{} + case v2.SchemeGroupVersion.WithKind("ClusterCleanupPolicy"): + return &kyvernov2.ClusterCleanupPolicyApplyConfiguration{} + case v2.SchemeGroupVersion.WithKind("Condition"): + return &kyvernov2.ConditionApplyConfiguration{} case v2.SchemeGroupVersion.WithKind("Exception"): return &kyvernov2.ExceptionApplyConfiguration{} + case v2.SchemeGroupVersion.WithKind("MatchResources"): + return &kyvernov2.MatchResourcesApplyConfiguration{} case v2.SchemeGroupVersion.WithKind("PolicyException"): return &kyvernov2.PolicyExceptionApplyConfiguration{} case v2.SchemeGroupVersion.WithKind("PolicyExceptionSpec"): diff --git a/pkg/client/clientset/versioned/typed/kyverno/v2/cleanuppolicy.go b/pkg/client/clientset/versioned/typed/kyverno/v2/cleanuppolicy.go new file mode 100644 index 0000000000..6203a0498f --- /dev/null +++ b/pkg/client/clientset/versioned/typed/kyverno/v2/cleanuppolicy.go @@ -0,0 +1,195 @@ +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by client-gen. DO NOT EDIT. + +package v2 + +import ( + "context" + "time" + + v2 "github.com/kyverno/kyverno/api/kyverno/v2" + scheme "github.com/kyverno/kyverno/pkg/client/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + rest "k8s.io/client-go/rest" +) + +// CleanupPoliciesGetter has a method to return a CleanupPolicyInterface. +// A group's client should implement this interface. +type CleanupPoliciesGetter interface { + CleanupPolicies(namespace string) CleanupPolicyInterface +} + +// CleanupPolicyInterface has methods to work with CleanupPolicy resources. +type CleanupPolicyInterface interface { + Create(ctx context.Context, cleanupPolicy *v2.CleanupPolicy, opts v1.CreateOptions) (*v2.CleanupPolicy, error) + Update(ctx context.Context, cleanupPolicy *v2.CleanupPolicy, opts v1.UpdateOptions) (*v2.CleanupPolicy, error) + UpdateStatus(ctx context.Context, cleanupPolicy *v2.CleanupPolicy, opts v1.UpdateOptions) (*v2.CleanupPolicy, error) + Delete(ctx context.Context, name string, opts v1.DeleteOptions) error + DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error + Get(ctx context.Context, name string, opts v1.GetOptions) (*v2.CleanupPolicy, error) + List(ctx context.Context, opts v1.ListOptions) (*v2.CleanupPolicyList, error) + Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) + Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v2.CleanupPolicy, err error) + CleanupPolicyExpansion +} + +// cleanupPolicies implements CleanupPolicyInterface +type cleanupPolicies struct { + client rest.Interface + ns string +} + +// newCleanupPolicies returns a CleanupPolicies +func newCleanupPolicies(c *KyvernoV2Client, namespace string) *cleanupPolicies { + return &cleanupPolicies{ + client: c.RESTClient(), + ns: namespace, + } +} + +// Get takes name of the cleanupPolicy, and returns the corresponding cleanupPolicy object, and an error if there is any. +func (c *cleanupPolicies) Get(ctx context.Context, name string, options v1.GetOptions) (result *v2.CleanupPolicy, err error) { + result = &v2.CleanupPolicy{} + err = c.client.Get(). + Namespace(c.ns). + Resource("cleanuppolicies"). + Name(name). + VersionedParams(&options, scheme.ParameterCodec). + Do(ctx). + Into(result) + return +} + +// List takes label and field selectors, and returns the list of CleanupPolicies that match those selectors. +func (c *cleanupPolicies) List(ctx context.Context, opts v1.ListOptions) (result *v2.CleanupPolicyList, err error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + result = &v2.CleanupPolicyList{} + err = c.client.Get(). + Namespace(c.ns). + Resource("cleanuppolicies"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Do(ctx). + Into(result) + return +} + +// Watch returns a watch.Interface that watches the requested cleanupPolicies. +func (c *cleanupPolicies) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + opts.Watch = true + return c.client.Get(). + Namespace(c.ns). + Resource("cleanuppolicies"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Watch(ctx) +} + +// Create takes the representation of a cleanupPolicy and creates it. Returns the server's representation of the cleanupPolicy, and an error, if there is any. +func (c *cleanupPolicies) Create(ctx context.Context, cleanupPolicy *v2.CleanupPolicy, opts v1.CreateOptions) (result *v2.CleanupPolicy, err error) { + result = &v2.CleanupPolicy{} + err = c.client.Post(). + Namespace(c.ns). + Resource("cleanuppolicies"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(cleanupPolicy). + Do(ctx). + Into(result) + return +} + +// Update takes the representation of a cleanupPolicy and updates it. Returns the server's representation of the cleanupPolicy, and an error, if there is any. +func (c *cleanupPolicies) Update(ctx context.Context, cleanupPolicy *v2.CleanupPolicy, opts v1.UpdateOptions) (result *v2.CleanupPolicy, err error) { + result = &v2.CleanupPolicy{} + err = c.client.Put(). + Namespace(c.ns). + Resource("cleanuppolicies"). + Name(cleanupPolicy.Name). + VersionedParams(&opts, scheme.ParameterCodec). + Body(cleanupPolicy). + Do(ctx). + Into(result) + return +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *cleanupPolicies) UpdateStatus(ctx context.Context, cleanupPolicy *v2.CleanupPolicy, opts v1.UpdateOptions) (result *v2.CleanupPolicy, err error) { + result = &v2.CleanupPolicy{} + err = c.client.Put(). + Namespace(c.ns). + Resource("cleanuppolicies"). + Name(cleanupPolicy.Name). + SubResource("status"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(cleanupPolicy). + Do(ctx). + Into(result) + return +} + +// Delete takes name of the cleanupPolicy and deletes it. Returns an error if one occurs. +func (c *cleanupPolicies) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + return c.client.Delete(). + Namespace(c.ns). + Resource("cleanuppolicies"). + Name(name). + Body(&opts). + Do(ctx). + Error() +} + +// DeleteCollection deletes a collection of objects. +func (c *cleanupPolicies) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + var timeout time.Duration + if listOpts.TimeoutSeconds != nil { + timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second + } + return c.client.Delete(). + Namespace(c.ns). + Resource("cleanuppolicies"). + VersionedParams(&listOpts, scheme.ParameterCodec). + Timeout(timeout). + Body(&opts). + Do(ctx). + Error() +} + +// Patch applies the patch and returns the patched cleanupPolicy. +func (c *cleanupPolicies) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v2.CleanupPolicy, err error) { + result = &v2.CleanupPolicy{} + err = c.client.Patch(pt). + Namespace(c.ns). + Resource("cleanuppolicies"). + Name(name). + SubResource(subresources...). + VersionedParams(&opts, scheme.ParameterCodec). + Body(data). + Do(ctx). + Into(result) + return +} diff --git a/pkg/client/clientset/versioned/typed/kyverno/v2/clustercleanuppolicy.go b/pkg/client/clientset/versioned/typed/kyverno/v2/clustercleanuppolicy.go new file mode 100644 index 0000000000..709a8fb6be --- /dev/null +++ b/pkg/client/clientset/versioned/typed/kyverno/v2/clustercleanuppolicy.go @@ -0,0 +1,184 @@ +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by client-gen. DO NOT EDIT. + +package v2 + +import ( + "context" + "time" + + v2 "github.com/kyverno/kyverno/api/kyverno/v2" + scheme "github.com/kyverno/kyverno/pkg/client/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + rest "k8s.io/client-go/rest" +) + +// ClusterCleanupPoliciesGetter has a method to return a ClusterCleanupPolicyInterface. +// A group's client should implement this interface. +type ClusterCleanupPoliciesGetter interface { + ClusterCleanupPolicies() ClusterCleanupPolicyInterface +} + +// ClusterCleanupPolicyInterface has methods to work with ClusterCleanupPolicy resources. +type ClusterCleanupPolicyInterface interface { + Create(ctx context.Context, clusterCleanupPolicy *v2.ClusterCleanupPolicy, opts v1.CreateOptions) (*v2.ClusterCleanupPolicy, error) + Update(ctx context.Context, clusterCleanupPolicy *v2.ClusterCleanupPolicy, opts v1.UpdateOptions) (*v2.ClusterCleanupPolicy, error) + UpdateStatus(ctx context.Context, clusterCleanupPolicy *v2.ClusterCleanupPolicy, opts v1.UpdateOptions) (*v2.ClusterCleanupPolicy, error) + Delete(ctx context.Context, name string, opts v1.DeleteOptions) error + DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error + Get(ctx context.Context, name string, opts v1.GetOptions) (*v2.ClusterCleanupPolicy, error) + List(ctx context.Context, opts v1.ListOptions) (*v2.ClusterCleanupPolicyList, error) + Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) + Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v2.ClusterCleanupPolicy, err error) + ClusterCleanupPolicyExpansion +} + +// clusterCleanupPolicies implements ClusterCleanupPolicyInterface +type clusterCleanupPolicies struct { + client rest.Interface +} + +// newClusterCleanupPolicies returns a ClusterCleanupPolicies +func newClusterCleanupPolicies(c *KyvernoV2Client) *clusterCleanupPolicies { + return &clusterCleanupPolicies{ + client: c.RESTClient(), + } +} + +// Get takes name of the clusterCleanupPolicy, and returns the corresponding clusterCleanupPolicy object, and an error if there is any. +func (c *clusterCleanupPolicies) Get(ctx context.Context, name string, options v1.GetOptions) (result *v2.ClusterCleanupPolicy, err error) { + result = &v2.ClusterCleanupPolicy{} + err = c.client.Get(). + Resource("clustercleanuppolicies"). + Name(name). + VersionedParams(&options, scheme.ParameterCodec). + Do(ctx). + Into(result) + return +} + +// List takes label and field selectors, and returns the list of ClusterCleanupPolicies that match those selectors. +func (c *clusterCleanupPolicies) List(ctx context.Context, opts v1.ListOptions) (result *v2.ClusterCleanupPolicyList, err error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + result = &v2.ClusterCleanupPolicyList{} + err = c.client.Get(). + Resource("clustercleanuppolicies"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Do(ctx). + Into(result) + return +} + +// Watch returns a watch.Interface that watches the requested clusterCleanupPolicies. +func (c *clusterCleanupPolicies) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + opts.Watch = true + return c.client.Get(). + Resource("clustercleanuppolicies"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Watch(ctx) +} + +// Create takes the representation of a clusterCleanupPolicy and creates it. Returns the server's representation of the clusterCleanupPolicy, and an error, if there is any. +func (c *clusterCleanupPolicies) Create(ctx context.Context, clusterCleanupPolicy *v2.ClusterCleanupPolicy, opts v1.CreateOptions) (result *v2.ClusterCleanupPolicy, err error) { + result = &v2.ClusterCleanupPolicy{} + err = c.client.Post(). + Resource("clustercleanuppolicies"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(clusterCleanupPolicy). + Do(ctx). + Into(result) + return +} + +// Update takes the representation of a clusterCleanupPolicy and updates it. Returns the server's representation of the clusterCleanupPolicy, and an error, if there is any. +func (c *clusterCleanupPolicies) Update(ctx context.Context, clusterCleanupPolicy *v2.ClusterCleanupPolicy, opts v1.UpdateOptions) (result *v2.ClusterCleanupPolicy, err error) { + result = &v2.ClusterCleanupPolicy{} + err = c.client.Put(). + Resource("clustercleanuppolicies"). + Name(clusterCleanupPolicy.Name). + VersionedParams(&opts, scheme.ParameterCodec). + Body(clusterCleanupPolicy). + Do(ctx). + Into(result) + return +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *clusterCleanupPolicies) UpdateStatus(ctx context.Context, clusterCleanupPolicy *v2.ClusterCleanupPolicy, opts v1.UpdateOptions) (result *v2.ClusterCleanupPolicy, err error) { + result = &v2.ClusterCleanupPolicy{} + err = c.client.Put(). + Resource("clustercleanuppolicies"). + Name(clusterCleanupPolicy.Name). + SubResource("status"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(clusterCleanupPolicy). + Do(ctx). + Into(result) + return +} + +// Delete takes name of the clusterCleanupPolicy and deletes it. Returns an error if one occurs. +func (c *clusterCleanupPolicies) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + return c.client.Delete(). + Resource("clustercleanuppolicies"). + Name(name). + Body(&opts). + Do(ctx). + Error() +} + +// DeleteCollection deletes a collection of objects. +func (c *clusterCleanupPolicies) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + var timeout time.Duration + if listOpts.TimeoutSeconds != nil { + timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second + } + return c.client.Delete(). + Resource("clustercleanuppolicies"). + VersionedParams(&listOpts, scheme.ParameterCodec). + Timeout(timeout). + Body(&opts). + Do(ctx). + Error() +} + +// Patch applies the patch and returns the patched clusterCleanupPolicy. +func (c *clusterCleanupPolicies) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v2.ClusterCleanupPolicy, err error) { + result = &v2.ClusterCleanupPolicy{} + err = c.client.Patch(pt). + Resource("clustercleanuppolicies"). + Name(name). + SubResource(subresources...). + VersionedParams(&opts, scheme.ParameterCodec). + Body(data). + Do(ctx). + Into(result) + return +} diff --git a/pkg/client/clientset/versioned/typed/kyverno/v2/fake/fake_cleanuppolicy.go b/pkg/client/clientset/versioned/typed/kyverno/v2/fake/fake_cleanuppolicy.go new file mode 100644 index 0000000000..4ce42e6997 --- /dev/null +++ b/pkg/client/clientset/versioned/typed/kyverno/v2/fake/fake_cleanuppolicy.go @@ -0,0 +1,141 @@ +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v2 "github.com/kyverno/kyverno/api/kyverno/v2" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + labels "k8s.io/apimachinery/pkg/labels" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + testing "k8s.io/client-go/testing" +) + +// FakeCleanupPolicies implements CleanupPolicyInterface +type FakeCleanupPolicies struct { + Fake *FakeKyvernoV2 + ns string +} + +var cleanuppoliciesResource = v2.SchemeGroupVersion.WithResource("cleanuppolicies") + +var cleanuppoliciesKind = v2.SchemeGroupVersion.WithKind("CleanupPolicy") + +// Get takes name of the cleanupPolicy, and returns the corresponding cleanupPolicy object, and an error if there is any. +func (c *FakeCleanupPolicies) Get(ctx context.Context, name string, options v1.GetOptions) (result *v2.CleanupPolicy, err error) { + obj, err := c.Fake. + Invokes(testing.NewGetAction(cleanuppoliciesResource, c.ns, name), &v2.CleanupPolicy{}) + + if obj == nil { + return nil, err + } + return obj.(*v2.CleanupPolicy), err +} + +// List takes label and field selectors, and returns the list of CleanupPolicies that match those selectors. +func (c *FakeCleanupPolicies) List(ctx context.Context, opts v1.ListOptions) (result *v2.CleanupPolicyList, err error) { + obj, err := c.Fake. + Invokes(testing.NewListAction(cleanuppoliciesResource, cleanuppoliciesKind, c.ns, opts), &v2.CleanupPolicyList{}) + + if obj == nil { + return nil, err + } + + label, _, _ := testing.ExtractFromListOptions(opts) + if label == nil { + label = labels.Everything() + } + list := &v2.CleanupPolicyList{ListMeta: obj.(*v2.CleanupPolicyList).ListMeta} + for _, item := range obj.(*v2.CleanupPolicyList).Items { + if label.Matches(labels.Set(item.Labels)) { + list.Items = append(list.Items, item) + } + } + return list, err +} + +// Watch returns a watch.Interface that watches the requested cleanupPolicies. +func (c *FakeCleanupPolicies) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + return c.Fake. + InvokesWatch(testing.NewWatchAction(cleanuppoliciesResource, c.ns, opts)) + +} + +// Create takes the representation of a cleanupPolicy and creates it. Returns the server's representation of the cleanupPolicy, and an error, if there is any. +func (c *FakeCleanupPolicies) Create(ctx context.Context, cleanupPolicy *v2.CleanupPolicy, opts v1.CreateOptions) (result *v2.CleanupPolicy, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(cleanuppoliciesResource, c.ns, cleanupPolicy), &v2.CleanupPolicy{}) + + if obj == nil { + return nil, err + } + return obj.(*v2.CleanupPolicy), err +} + +// Update takes the representation of a cleanupPolicy and updates it. Returns the server's representation of the cleanupPolicy, and an error, if there is any. +func (c *FakeCleanupPolicies) Update(ctx context.Context, cleanupPolicy *v2.CleanupPolicy, opts v1.UpdateOptions) (result *v2.CleanupPolicy, err error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateAction(cleanuppoliciesResource, c.ns, cleanupPolicy), &v2.CleanupPolicy{}) + + if obj == nil { + return nil, err + } + return obj.(*v2.CleanupPolicy), err +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *FakeCleanupPolicies) UpdateStatus(ctx context.Context, cleanupPolicy *v2.CleanupPolicy, opts v1.UpdateOptions) (*v2.CleanupPolicy, error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateSubresourceAction(cleanuppoliciesResource, "status", c.ns, cleanupPolicy), &v2.CleanupPolicy{}) + + if obj == nil { + return nil, err + } + return obj.(*v2.CleanupPolicy), err +} + +// Delete takes name of the cleanupPolicy and deletes it. Returns an error if one occurs. +func (c *FakeCleanupPolicies) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + _, err := c.Fake. + Invokes(testing.NewDeleteActionWithOptions(cleanuppoliciesResource, c.ns, name, opts), &v2.CleanupPolicy{}) + + return err +} + +// DeleteCollection deletes a collection of objects. +func (c *FakeCleanupPolicies) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + action := testing.NewDeleteCollectionAction(cleanuppoliciesResource, c.ns, listOpts) + + _, err := c.Fake.Invokes(action, &v2.CleanupPolicyList{}) + return err +} + +// Patch applies the patch and returns the patched cleanupPolicy. +func (c *FakeCleanupPolicies) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v2.CleanupPolicy, err error) { + obj, err := c.Fake. + Invokes(testing.NewPatchSubresourceAction(cleanuppoliciesResource, c.ns, name, pt, data, subresources...), &v2.CleanupPolicy{}) + + if obj == nil { + return nil, err + } + return obj.(*v2.CleanupPolicy), err +} diff --git a/pkg/client/clientset/versioned/typed/kyverno/v2/fake/fake_clustercleanuppolicy.go b/pkg/client/clientset/versioned/typed/kyverno/v2/fake/fake_clustercleanuppolicy.go new file mode 100644 index 0000000000..f8562d7c74 --- /dev/null +++ b/pkg/client/clientset/versioned/typed/kyverno/v2/fake/fake_clustercleanuppolicy.go @@ -0,0 +1,132 @@ +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v2 "github.com/kyverno/kyverno/api/kyverno/v2" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + labels "k8s.io/apimachinery/pkg/labels" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + testing "k8s.io/client-go/testing" +) + +// FakeClusterCleanupPolicies implements ClusterCleanupPolicyInterface +type FakeClusterCleanupPolicies struct { + Fake *FakeKyvernoV2 +} + +var clustercleanuppoliciesResource = v2.SchemeGroupVersion.WithResource("clustercleanuppolicies") + +var clustercleanuppoliciesKind = v2.SchemeGroupVersion.WithKind("ClusterCleanupPolicy") + +// Get takes name of the clusterCleanupPolicy, and returns the corresponding clusterCleanupPolicy object, and an error if there is any. +func (c *FakeClusterCleanupPolicies) Get(ctx context.Context, name string, options v1.GetOptions) (result *v2.ClusterCleanupPolicy, err error) { + obj, err := c.Fake. + Invokes(testing.NewRootGetAction(clustercleanuppoliciesResource, name), &v2.ClusterCleanupPolicy{}) + if obj == nil { + return nil, err + } + return obj.(*v2.ClusterCleanupPolicy), err +} + +// List takes label and field selectors, and returns the list of ClusterCleanupPolicies that match those selectors. +func (c *FakeClusterCleanupPolicies) List(ctx context.Context, opts v1.ListOptions) (result *v2.ClusterCleanupPolicyList, err error) { + obj, err := c.Fake. + Invokes(testing.NewRootListAction(clustercleanuppoliciesResource, clustercleanuppoliciesKind, opts), &v2.ClusterCleanupPolicyList{}) + if obj == nil { + return nil, err + } + + label, _, _ := testing.ExtractFromListOptions(opts) + if label == nil { + label = labels.Everything() + } + list := &v2.ClusterCleanupPolicyList{ListMeta: obj.(*v2.ClusterCleanupPolicyList).ListMeta} + for _, item := range obj.(*v2.ClusterCleanupPolicyList).Items { + if label.Matches(labels.Set(item.Labels)) { + list.Items = append(list.Items, item) + } + } + return list, err +} + +// Watch returns a watch.Interface that watches the requested clusterCleanupPolicies. +func (c *FakeClusterCleanupPolicies) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + return c.Fake. + InvokesWatch(testing.NewRootWatchAction(clustercleanuppoliciesResource, opts)) +} + +// Create takes the representation of a clusterCleanupPolicy and creates it. Returns the server's representation of the clusterCleanupPolicy, and an error, if there is any. +func (c *FakeClusterCleanupPolicies) Create(ctx context.Context, clusterCleanupPolicy *v2.ClusterCleanupPolicy, opts v1.CreateOptions) (result *v2.ClusterCleanupPolicy, err error) { + obj, err := c.Fake. + Invokes(testing.NewRootCreateAction(clustercleanuppoliciesResource, clusterCleanupPolicy), &v2.ClusterCleanupPolicy{}) + if obj == nil { + return nil, err + } + return obj.(*v2.ClusterCleanupPolicy), err +} + +// Update takes the representation of a clusterCleanupPolicy and updates it. Returns the server's representation of the clusterCleanupPolicy, and an error, if there is any. +func (c *FakeClusterCleanupPolicies) Update(ctx context.Context, clusterCleanupPolicy *v2.ClusterCleanupPolicy, opts v1.UpdateOptions) (result *v2.ClusterCleanupPolicy, err error) { + obj, err := c.Fake. + Invokes(testing.NewRootUpdateAction(clustercleanuppoliciesResource, clusterCleanupPolicy), &v2.ClusterCleanupPolicy{}) + if obj == nil { + return nil, err + } + return obj.(*v2.ClusterCleanupPolicy), err +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *FakeClusterCleanupPolicies) UpdateStatus(ctx context.Context, clusterCleanupPolicy *v2.ClusterCleanupPolicy, opts v1.UpdateOptions) (*v2.ClusterCleanupPolicy, error) { + obj, err := c.Fake. + Invokes(testing.NewRootUpdateSubresourceAction(clustercleanuppoliciesResource, "status", clusterCleanupPolicy), &v2.ClusterCleanupPolicy{}) + if obj == nil { + return nil, err + } + return obj.(*v2.ClusterCleanupPolicy), err +} + +// Delete takes name of the clusterCleanupPolicy and deletes it. Returns an error if one occurs. +func (c *FakeClusterCleanupPolicies) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + _, err := c.Fake. + Invokes(testing.NewRootDeleteActionWithOptions(clustercleanuppoliciesResource, name, opts), &v2.ClusterCleanupPolicy{}) + return err +} + +// DeleteCollection deletes a collection of objects. +func (c *FakeClusterCleanupPolicies) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + action := testing.NewRootDeleteCollectionAction(clustercleanuppoliciesResource, listOpts) + + _, err := c.Fake.Invokes(action, &v2.ClusterCleanupPolicyList{}) + return err +} + +// Patch applies the patch and returns the patched clusterCleanupPolicy. +func (c *FakeClusterCleanupPolicies) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v2.ClusterCleanupPolicy, err error) { + obj, err := c.Fake. + Invokes(testing.NewRootPatchSubresourceAction(clustercleanuppoliciesResource, name, pt, data, subresources...), &v2.ClusterCleanupPolicy{}) + if obj == nil { + return nil, err + } + return obj.(*v2.ClusterCleanupPolicy), err +} diff --git a/pkg/client/clientset/versioned/typed/kyverno/v2/fake/fake_kyverno_client.go b/pkg/client/clientset/versioned/typed/kyverno/v2/fake/fake_kyverno_client.go index 000f9d06d0..4b1c8f3f8b 100644 --- a/pkg/client/clientset/versioned/typed/kyverno/v2/fake/fake_kyverno_client.go +++ b/pkg/client/clientset/versioned/typed/kyverno/v2/fake/fake_kyverno_client.go @@ -36,6 +36,10 @@ func (c *FakeKyvernoV2) BackgroundScanReports(namespace string) v2.BackgroundSca return &FakeBackgroundScanReports{c, namespace} } +func (c *FakeKyvernoV2) CleanupPolicies(namespace string) v2.CleanupPolicyInterface { + return &FakeCleanupPolicies{c, namespace} +} + func (c *FakeKyvernoV2) ClusterAdmissionReports() v2.ClusterAdmissionReportInterface { return &FakeClusterAdmissionReports{c} } @@ -44,6 +48,10 @@ func (c *FakeKyvernoV2) ClusterBackgroundScanReports() v2.ClusterBackgroundScanR return &FakeClusterBackgroundScanReports{c} } +func (c *FakeKyvernoV2) ClusterCleanupPolicies() v2.ClusterCleanupPolicyInterface { + return &FakeClusterCleanupPolicies{c} +} + func (c *FakeKyvernoV2) PolicyExceptions(namespace string) v2.PolicyExceptionInterface { return &FakePolicyExceptions{c, namespace} } diff --git a/pkg/client/clientset/versioned/typed/kyverno/v2/generated_expansion.go b/pkg/client/clientset/versioned/typed/kyverno/v2/generated_expansion.go index c2310d3094..12949a2d8a 100644 --- a/pkg/client/clientset/versioned/typed/kyverno/v2/generated_expansion.go +++ b/pkg/client/clientset/versioned/typed/kyverno/v2/generated_expansion.go @@ -22,8 +22,12 @@ type AdmissionReportExpansion interface{} type BackgroundScanReportExpansion interface{} +type CleanupPolicyExpansion interface{} + type ClusterAdmissionReportExpansion interface{} type ClusterBackgroundScanReportExpansion interface{} +type ClusterCleanupPolicyExpansion interface{} + type PolicyExceptionExpansion interface{} diff --git a/pkg/client/clientset/versioned/typed/kyverno/v2/kyverno_client.go b/pkg/client/clientset/versioned/typed/kyverno/v2/kyverno_client.go index 716a42e189..a8c3bd43b2 100644 --- a/pkg/client/clientset/versioned/typed/kyverno/v2/kyverno_client.go +++ b/pkg/client/clientset/versioned/typed/kyverno/v2/kyverno_client.go @@ -30,8 +30,10 @@ type KyvernoV2Interface interface { RESTClient() rest.Interface AdmissionReportsGetter BackgroundScanReportsGetter + CleanupPoliciesGetter ClusterAdmissionReportsGetter ClusterBackgroundScanReportsGetter + ClusterCleanupPoliciesGetter PolicyExceptionsGetter } @@ -48,6 +50,10 @@ func (c *KyvernoV2Client) BackgroundScanReports(namespace string) BackgroundScan return newBackgroundScanReports(c, namespace) } +func (c *KyvernoV2Client) CleanupPolicies(namespace string) CleanupPolicyInterface { + return newCleanupPolicies(c, namespace) +} + func (c *KyvernoV2Client) ClusterAdmissionReports() ClusterAdmissionReportInterface { return newClusterAdmissionReports(c) } @@ -56,6 +62,10 @@ func (c *KyvernoV2Client) ClusterBackgroundScanReports() ClusterBackgroundScanRe return newClusterBackgroundScanReports(c) } +func (c *KyvernoV2Client) ClusterCleanupPolicies() ClusterCleanupPolicyInterface { + return newClusterCleanupPolicies(c) +} + func (c *KyvernoV2Client) PolicyExceptions(namespace string) PolicyExceptionInterface { return newPolicyExceptions(c, namespace) } diff --git a/pkg/client/informers/externalversions/generic.go b/pkg/client/informers/externalversions/generic.go index b6a853eb02..e50a52f7b8 100644 --- a/pkg/client/informers/externalversions/generic.go +++ b/pkg/client/informers/externalversions/generic.go @@ -83,10 +83,14 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource return &genericInformer{resource: resource.GroupResource(), informer: f.Kyverno().V2().AdmissionReports().Informer()}, nil case v2.SchemeGroupVersion.WithResource("backgroundscanreports"): return &genericInformer{resource: resource.GroupResource(), informer: f.Kyverno().V2().BackgroundScanReports().Informer()}, nil + case v2.SchemeGroupVersion.WithResource("cleanuppolicies"): + return &genericInformer{resource: resource.GroupResource(), informer: f.Kyverno().V2().CleanupPolicies().Informer()}, nil case v2.SchemeGroupVersion.WithResource("clusteradmissionreports"): return &genericInformer{resource: resource.GroupResource(), informer: f.Kyverno().V2().ClusterAdmissionReports().Informer()}, nil case v2.SchemeGroupVersion.WithResource("clusterbackgroundscanreports"): return &genericInformer{resource: resource.GroupResource(), informer: f.Kyverno().V2().ClusterBackgroundScanReports().Informer()}, nil + case v2.SchemeGroupVersion.WithResource("clustercleanuppolicies"): + return &genericInformer{resource: resource.GroupResource(), informer: f.Kyverno().V2().ClusterCleanupPolicies().Informer()}, nil case v2.SchemeGroupVersion.WithResource("policyexceptions"): return &genericInformer{resource: resource.GroupResource(), informer: f.Kyverno().V2().PolicyExceptions().Informer()}, nil diff --git a/pkg/client/informers/externalversions/kyverno/v2/cleanuppolicy.go b/pkg/client/informers/externalversions/kyverno/v2/cleanuppolicy.go new file mode 100644 index 0000000000..7ee4192bcc --- /dev/null +++ b/pkg/client/informers/externalversions/kyverno/v2/cleanuppolicy.go @@ -0,0 +1,90 @@ +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by informer-gen. DO NOT EDIT. + +package v2 + +import ( + "context" + time "time" + + kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2" + versioned "github.com/kyverno/kyverno/pkg/client/clientset/versioned" + internalinterfaces "github.com/kyverno/kyverno/pkg/client/informers/externalversions/internalinterfaces" + v2 "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + watch "k8s.io/apimachinery/pkg/watch" + cache "k8s.io/client-go/tools/cache" +) + +// CleanupPolicyInformer provides access to a shared informer and lister for +// CleanupPolicies. +type CleanupPolicyInformer interface { + Informer() cache.SharedIndexInformer + Lister() v2.CleanupPolicyLister +} + +type cleanupPolicyInformer struct { + factory internalinterfaces.SharedInformerFactory + tweakListOptions internalinterfaces.TweakListOptionsFunc + namespace string +} + +// NewCleanupPolicyInformer constructs a new informer for CleanupPolicy type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewCleanupPolicyInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredCleanupPolicyInformer(client, namespace, resyncPeriod, indexers, nil) +} + +// NewFilteredCleanupPolicyInformer constructs a new informer for CleanupPolicy type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewFilteredCleanupPolicyInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { + return cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.KyvernoV2().CleanupPolicies(namespace).List(context.TODO(), options) + }, + WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.KyvernoV2().CleanupPolicies(namespace).Watch(context.TODO(), options) + }, + }, + &kyvernov2.CleanupPolicy{}, + resyncPeriod, + indexers, + ) +} + +func (f *cleanupPolicyInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredCleanupPolicyInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +} + +func (f *cleanupPolicyInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&kyvernov2.CleanupPolicy{}, f.defaultInformer) +} + +func (f *cleanupPolicyInformer) Lister() v2.CleanupPolicyLister { + return v2.NewCleanupPolicyLister(f.Informer().GetIndexer()) +} diff --git a/pkg/client/informers/externalversions/kyverno/v2/clustercleanuppolicy.go b/pkg/client/informers/externalversions/kyverno/v2/clustercleanuppolicy.go new file mode 100644 index 0000000000..8b6b1916b0 --- /dev/null +++ b/pkg/client/informers/externalversions/kyverno/v2/clustercleanuppolicy.go @@ -0,0 +1,89 @@ +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by informer-gen. DO NOT EDIT. + +package v2 + +import ( + "context" + time "time" + + kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2" + versioned "github.com/kyverno/kyverno/pkg/client/clientset/versioned" + internalinterfaces "github.com/kyverno/kyverno/pkg/client/informers/externalversions/internalinterfaces" + v2 "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + watch "k8s.io/apimachinery/pkg/watch" + cache "k8s.io/client-go/tools/cache" +) + +// ClusterCleanupPolicyInformer provides access to a shared informer and lister for +// ClusterCleanupPolicies. +type ClusterCleanupPolicyInformer interface { + Informer() cache.SharedIndexInformer + Lister() v2.ClusterCleanupPolicyLister +} + +type clusterCleanupPolicyInformer struct { + factory internalinterfaces.SharedInformerFactory + tweakListOptions internalinterfaces.TweakListOptionsFunc +} + +// NewClusterCleanupPolicyInformer constructs a new informer for ClusterCleanupPolicy type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewClusterCleanupPolicyInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredClusterCleanupPolicyInformer(client, resyncPeriod, indexers, nil) +} + +// NewFilteredClusterCleanupPolicyInformer constructs a new informer for ClusterCleanupPolicy type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewFilteredClusterCleanupPolicyInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { + return cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.KyvernoV2().ClusterCleanupPolicies().List(context.TODO(), options) + }, + WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.KyvernoV2().ClusterCleanupPolicies().Watch(context.TODO(), options) + }, + }, + &kyvernov2.ClusterCleanupPolicy{}, + resyncPeriod, + indexers, + ) +} + +func (f *clusterCleanupPolicyInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredClusterCleanupPolicyInformer(client, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +} + +func (f *clusterCleanupPolicyInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&kyvernov2.ClusterCleanupPolicy{}, f.defaultInformer) +} + +func (f *clusterCleanupPolicyInformer) Lister() v2.ClusterCleanupPolicyLister { + return v2.NewClusterCleanupPolicyLister(f.Informer().GetIndexer()) +} diff --git a/pkg/client/informers/externalversions/kyverno/v2/interface.go b/pkg/client/informers/externalversions/kyverno/v2/interface.go index 3502ee6ed3..5c1e408f35 100644 --- a/pkg/client/informers/externalversions/kyverno/v2/interface.go +++ b/pkg/client/informers/externalversions/kyverno/v2/interface.go @@ -28,10 +28,14 @@ type Interface interface { AdmissionReports() AdmissionReportInformer // BackgroundScanReports returns a BackgroundScanReportInformer. BackgroundScanReports() BackgroundScanReportInformer + // CleanupPolicies returns a CleanupPolicyInformer. + CleanupPolicies() CleanupPolicyInformer // ClusterAdmissionReports returns a ClusterAdmissionReportInformer. ClusterAdmissionReports() ClusterAdmissionReportInformer // ClusterBackgroundScanReports returns a ClusterBackgroundScanReportInformer. ClusterBackgroundScanReports() ClusterBackgroundScanReportInformer + // ClusterCleanupPolicies returns a ClusterCleanupPolicyInformer. + ClusterCleanupPolicies() ClusterCleanupPolicyInformer // PolicyExceptions returns a PolicyExceptionInformer. PolicyExceptions() PolicyExceptionInformer } @@ -57,6 +61,11 @@ func (v *version) BackgroundScanReports() BackgroundScanReportInformer { return &backgroundScanReportInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} } +// CleanupPolicies returns a CleanupPolicyInformer. +func (v *version) CleanupPolicies() CleanupPolicyInformer { + return &cleanupPolicyInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} + // ClusterAdmissionReports returns a ClusterAdmissionReportInformer. func (v *version) ClusterAdmissionReports() ClusterAdmissionReportInformer { return &clusterAdmissionReportInformer{factory: v.factory, tweakListOptions: v.tweakListOptions} @@ -67,6 +76,11 @@ func (v *version) ClusterBackgroundScanReports() ClusterBackgroundScanReportInfo return &clusterBackgroundScanReportInformer{factory: v.factory, tweakListOptions: v.tweakListOptions} } +// ClusterCleanupPolicies returns a ClusterCleanupPolicyInformer. +func (v *version) ClusterCleanupPolicies() ClusterCleanupPolicyInformer { + return &clusterCleanupPolicyInformer{factory: v.factory, tweakListOptions: v.tweakListOptions} +} + // PolicyExceptions returns a PolicyExceptionInformer. func (v *version) PolicyExceptions() PolicyExceptionInformer { return &policyExceptionInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} diff --git a/pkg/client/listers/kyverno/v2/cleanuppolicy.go b/pkg/client/listers/kyverno/v2/cleanuppolicy.go new file mode 100644 index 0000000000..ad79c4126d --- /dev/null +++ b/pkg/client/listers/kyverno/v2/cleanuppolicy.go @@ -0,0 +1,99 @@ +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by lister-gen. DO NOT EDIT. + +package v2 + +import ( + v2 "github.com/kyverno/kyverno/api/kyverno/v2" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" +) + +// CleanupPolicyLister helps list CleanupPolicies. +// All objects returned here must be treated as read-only. +type CleanupPolicyLister interface { + // List lists all CleanupPolicies in the indexer. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v2.CleanupPolicy, err error) + // CleanupPolicies returns an object that can list and get CleanupPolicies. + CleanupPolicies(namespace string) CleanupPolicyNamespaceLister + CleanupPolicyListerExpansion +} + +// cleanupPolicyLister implements the CleanupPolicyLister interface. +type cleanupPolicyLister struct { + indexer cache.Indexer +} + +// NewCleanupPolicyLister returns a new CleanupPolicyLister. +func NewCleanupPolicyLister(indexer cache.Indexer) CleanupPolicyLister { + return &cleanupPolicyLister{indexer: indexer} +} + +// List lists all CleanupPolicies in the indexer. +func (s *cleanupPolicyLister) List(selector labels.Selector) (ret []*v2.CleanupPolicy, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v2.CleanupPolicy)) + }) + return ret, err +} + +// CleanupPolicies returns an object that can list and get CleanupPolicies. +func (s *cleanupPolicyLister) CleanupPolicies(namespace string) CleanupPolicyNamespaceLister { + return cleanupPolicyNamespaceLister{indexer: s.indexer, namespace: namespace} +} + +// CleanupPolicyNamespaceLister helps list and get CleanupPolicies. +// All objects returned here must be treated as read-only. +type CleanupPolicyNamespaceLister interface { + // List lists all CleanupPolicies in the indexer for a given namespace. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v2.CleanupPolicy, err error) + // Get retrieves the CleanupPolicy from the indexer for a given namespace and name. + // Objects returned here must be treated as read-only. + Get(name string) (*v2.CleanupPolicy, error) + CleanupPolicyNamespaceListerExpansion +} + +// cleanupPolicyNamespaceLister implements the CleanupPolicyNamespaceLister +// interface. +type cleanupPolicyNamespaceLister struct { + indexer cache.Indexer + namespace string +} + +// List lists all CleanupPolicies in the indexer for a given namespace. +func (s cleanupPolicyNamespaceLister) List(selector labels.Selector) (ret []*v2.CleanupPolicy, err error) { + err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) { + ret = append(ret, m.(*v2.CleanupPolicy)) + }) + return ret, err +} + +// Get retrieves the CleanupPolicy from the indexer for a given namespace and name. +func (s cleanupPolicyNamespaceLister) Get(name string) (*v2.CleanupPolicy, error) { + obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v2.Resource("cleanuppolicy"), name) + } + return obj.(*v2.CleanupPolicy), nil +} diff --git a/pkg/client/listers/kyverno/v2/clustercleanuppolicy.go b/pkg/client/listers/kyverno/v2/clustercleanuppolicy.go new file mode 100644 index 0000000000..d54d6a4ec6 --- /dev/null +++ b/pkg/client/listers/kyverno/v2/clustercleanuppolicy.go @@ -0,0 +1,68 @@ +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by lister-gen. DO NOT EDIT. + +package v2 + +import ( + v2 "github.com/kyverno/kyverno/api/kyverno/v2" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" +) + +// ClusterCleanupPolicyLister helps list ClusterCleanupPolicies. +// All objects returned here must be treated as read-only. +type ClusterCleanupPolicyLister interface { + // List lists all ClusterCleanupPolicies in the indexer. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v2.ClusterCleanupPolicy, err error) + // Get retrieves the ClusterCleanupPolicy from the index for a given name. + // Objects returned here must be treated as read-only. + Get(name string) (*v2.ClusterCleanupPolicy, error) + ClusterCleanupPolicyListerExpansion +} + +// clusterCleanupPolicyLister implements the ClusterCleanupPolicyLister interface. +type clusterCleanupPolicyLister struct { + indexer cache.Indexer +} + +// NewClusterCleanupPolicyLister returns a new ClusterCleanupPolicyLister. +func NewClusterCleanupPolicyLister(indexer cache.Indexer) ClusterCleanupPolicyLister { + return &clusterCleanupPolicyLister{indexer: indexer} +} + +// List lists all ClusterCleanupPolicies in the indexer. +func (s *clusterCleanupPolicyLister) List(selector labels.Selector) (ret []*v2.ClusterCleanupPolicy, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v2.ClusterCleanupPolicy)) + }) + return ret, err +} + +// Get retrieves the ClusterCleanupPolicy from the index for a given name. +func (s *clusterCleanupPolicyLister) Get(name string) (*v2.ClusterCleanupPolicy, error) { + obj, exists, err := s.indexer.GetByKey(name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v2.Resource("clustercleanuppolicy"), name) + } + return obj.(*v2.ClusterCleanupPolicy), nil +} diff --git a/pkg/client/listers/kyverno/v2/expansion_generated.go b/pkg/client/listers/kyverno/v2/expansion_generated.go index a64e291044..ee564de745 100644 --- a/pkg/client/listers/kyverno/v2/expansion_generated.go +++ b/pkg/client/listers/kyverno/v2/expansion_generated.go @@ -34,6 +34,14 @@ type BackgroundScanReportListerExpansion interface{} // BackgroundScanReportNamespaceLister. type BackgroundScanReportNamespaceListerExpansion interface{} +// CleanupPolicyListerExpansion allows custom methods to be added to +// CleanupPolicyLister. +type CleanupPolicyListerExpansion interface{} + +// CleanupPolicyNamespaceListerExpansion allows custom methods to be added to +// CleanupPolicyNamespaceLister. +type CleanupPolicyNamespaceListerExpansion interface{} + // ClusterAdmissionReportListerExpansion allows custom methods to be added to // ClusterAdmissionReportLister. type ClusterAdmissionReportListerExpansion interface{} @@ -42,6 +50,10 @@ type ClusterAdmissionReportListerExpansion interface{} // ClusterBackgroundScanReportLister. type ClusterBackgroundScanReportListerExpansion interface{} +// ClusterCleanupPolicyListerExpansion allows custom methods to be added to +// ClusterCleanupPolicyLister. +type ClusterCleanupPolicyListerExpansion interface{} + // PolicyExceptionListerExpansion allows custom methods to be added to // PolicyExceptionLister. type PolicyExceptionListerExpansion interface{} diff --git a/pkg/clients/kyverno/kyvernov2/cleanuppolicies/resource.generated.go b/pkg/clients/kyverno/kyvernov2/cleanuppolicies/resource.generated.go new file mode 100644 index 0000000000..742b870167 --- /dev/null +++ b/pkg/clients/kyverno/kyvernov2/cleanuppolicies/resource.generated.go @@ -0,0 +1,373 @@ +package resource + +import ( + context "context" + "fmt" + "time" + + "github.com/go-logr/logr" + github_com_kyverno_kyverno_api_kyverno_v2 "github.com/kyverno/kyverno/api/kyverno/v2" + github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v2" + "github.com/kyverno/kyverno/pkg/metrics" + "github.com/kyverno/kyverno/pkg/tracing" + "go.opentelemetry.io/otel/trace" + "go.uber.org/multierr" + k8s_io_apimachinery_pkg_apis_meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + k8s_io_apimachinery_pkg_types "k8s.io/apimachinery/pkg/types" + k8s_io_apimachinery_pkg_watch "k8s.io/apimachinery/pkg/watch" +) + +func WithLogging(inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.CleanupPolicyInterface, logger logr.Logger) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.CleanupPolicyInterface { + return &withLogging{inner, logger} +} + +func WithMetrics(inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.CleanupPolicyInterface, recorder metrics.Recorder) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.CleanupPolicyInterface { + return &withMetrics{inner, recorder} +} + +func WithTracing(inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.CleanupPolicyInterface, client, kind string) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.CleanupPolicyInterface { + return &withTracing{inner, client, kind} +} + +type withLogging struct { + inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.CleanupPolicyInterface + logger logr.Logger +} + +func (c *withLogging) Create(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, error) { + start := time.Now() + logger := c.logger.WithValues("operation", "Create") + ret0, ret1 := c.inner.Create(arg0, arg1, arg2) + if err := multierr.Combine(ret1); err != nil { + logger.Error(err, "Create failed", "duration", time.Since(start)) + } else { + logger.Info("Create done", "duration", time.Since(start)) + } + return ret0, ret1 +} +func (c *withLogging) Delete(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions) error { + start := time.Now() + logger := c.logger.WithValues("operation", "Delete") + ret0 := c.inner.Delete(arg0, arg1, arg2) + if err := multierr.Combine(ret0); err != nil { + logger.Error(err, "Delete failed", "duration", time.Since(start)) + } else { + logger.Info("Delete done", "duration", time.Since(start)) + } + return ret0 +} +func (c *withLogging) DeleteCollection(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) error { + start := time.Now() + logger := c.logger.WithValues("operation", "DeleteCollection") + ret0 := c.inner.DeleteCollection(arg0, arg1, arg2) + if err := multierr.Combine(ret0); err != nil { + logger.Error(err, "DeleteCollection failed", "duration", time.Since(start)) + } else { + logger.Info("DeleteCollection done", "duration", time.Since(start)) + } + return ret0 +} +func (c *withLogging) Get(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.GetOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, error) { + start := time.Now() + logger := c.logger.WithValues("operation", "Get") + ret0, ret1 := c.inner.Get(arg0, arg1, arg2) + if err := multierr.Combine(ret1); err != nil { + logger.Error(err, "Get failed", "duration", time.Since(start)) + } else { + logger.Info("Get done", "duration", time.Since(start)) + } + return ret0, ret1 +} +func (c *withLogging) List(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicyList, error) { + start := time.Now() + logger := c.logger.WithValues("operation", "List") + ret0, ret1 := c.inner.List(arg0, arg1) + if err := multierr.Combine(ret1); err != nil { + logger.Error(err, "List failed", "duration", time.Since(start)) + } else { + logger.Info("List done", "duration", time.Since(start)) + } + return ret0, ret1 +} +func (c *withLogging) Patch(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_types.PatchType, arg3 []uint8, arg4 k8s_io_apimachinery_pkg_apis_meta_v1.PatchOptions, arg5 ...string) (*github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, error) { + start := time.Now() + logger := c.logger.WithValues("operation", "Patch") + ret0, ret1 := c.inner.Patch(arg0, arg1, arg2, arg3, arg4, arg5...) + if err := multierr.Combine(ret1); err != nil { + logger.Error(err, "Patch failed", "duration", time.Since(start)) + } else { + logger.Info("Patch done", "duration", time.Since(start)) + } + return ret0, ret1 +} +func (c *withLogging) Update(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, error) { + start := time.Now() + logger := c.logger.WithValues("operation", "Update") + ret0, ret1 := c.inner.Update(arg0, arg1, arg2) + if err := multierr.Combine(ret1); err != nil { + logger.Error(err, "Update failed", "duration", time.Since(start)) + } else { + logger.Info("Update done", "duration", time.Since(start)) + } + return ret0, ret1 +} +func (c *withLogging) UpdateStatus(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, error) { + start := time.Now() + logger := c.logger.WithValues("operation", "UpdateStatus") + ret0, ret1 := c.inner.UpdateStatus(arg0, arg1, arg2) + if err := multierr.Combine(ret1); err != nil { + logger.Error(err, "UpdateStatus failed", "duration", time.Since(start)) + } else { + logger.Info("UpdateStatus done", "duration", time.Since(start)) + } + return ret0, ret1 +} +func (c *withLogging) Watch(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (k8s_io_apimachinery_pkg_watch.Interface, error) { + start := time.Now() + logger := c.logger.WithValues("operation", "Watch") + ret0, ret1 := c.inner.Watch(arg0, arg1) + if err := multierr.Combine(ret1); err != nil { + logger.Error(err, "Watch failed", "duration", time.Since(start)) + } else { + logger.Info("Watch done", "duration", time.Since(start)) + } + return ret0, ret1 +} + +type withMetrics struct { + inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.CleanupPolicyInterface + recorder metrics.Recorder +} + +func (c *withMetrics) Create(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, error) { + defer c.recorder.RecordWithContext(arg0, "create") + return c.inner.Create(arg0, arg1, arg2) +} +func (c *withMetrics) Delete(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions) error { + defer c.recorder.RecordWithContext(arg0, "delete") + return c.inner.Delete(arg0, arg1, arg2) +} +func (c *withMetrics) DeleteCollection(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) error { + defer c.recorder.RecordWithContext(arg0, "delete_collection") + return c.inner.DeleteCollection(arg0, arg1, arg2) +} +func (c *withMetrics) Get(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.GetOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, error) { + defer c.recorder.RecordWithContext(arg0, "get") + return c.inner.Get(arg0, arg1, arg2) +} +func (c *withMetrics) List(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicyList, error) { + defer c.recorder.RecordWithContext(arg0, "list") + return c.inner.List(arg0, arg1) +} +func (c *withMetrics) Patch(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_types.PatchType, arg3 []uint8, arg4 k8s_io_apimachinery_pkg_apis_meta_v1.PatchOptions, arg5 ...string) (*github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, error) { + defer c.recorder.RecordWithContext(arg0, "patch") + return c.inner.Patch(arg0, arg1, arg2, arg3, arg4, arg5...) +} +func (c *withMetrics) Update(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, error) { + defer c.recorder.RecordWithContext(arg0, "update") + return c.inner.Update(arg0, arg1, arg2) +} +func (c *withMetrics) UpdateStatus(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, error) { + defer c.recorder.RecordWithContext(arg0, "update_status") + return c.inner.UpdateStatus(arg0, arg1, arg2) +} +func (c *withMetrics) Watch(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (k8s_io_apimachinery_pkg_watch.Interface, error) { + defer c.recorder.RecordWithContext(arg0, "watch") + return c.inner.Watch(arg0, arg1) +} + +type withTracing struct { + inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.CleanupPolicyInterface + client string + kind string +} + +func (c *withTracing) Create(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, error) { + var span trace.Span + if tracing.IsInSpan(arg0) { + arg0, span = tracing.StartChildSpan( + arg0, + "", + fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Create"), + trace.WithAttributes( + tracing.KubeClientGroupKey.String(c.client), + tracing.KubeClientKindKey.String(c.kind), + tracing.KubeClientOperationKey.String("Create"), + ), + ) + defer span.End() + } + ret0, ret1 := c.inner.Create(arg0, arg1, arg2) + if span != nil { + tracing.SetSpanStatus(span, ret1) + } + return ret0, ret1 +} +func (c *withTracing) Delete(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions) error { + var span trace.Span + if tracing.IsInSpan(arg0) { + arg0, span = tracing.StartChildSpan( + arg0, + "", + fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Delete"), + trace.WithAttributes( + tracing.KubeClientGroupKey.String(c.client), + tracing.KubeClientKindKey.String(c.kind), + tracing.KubeClientOperationKey.String("Delete"), + ), + ) + defer span.End() + } + ret0 := c.inner.Delete(arg0, arg1, arg2) + if span != nil { + tracing.SetSpanStatus(span, ret0) + } + return ret0 +} +func (c *withTracing) DeleteCollection(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) error { + var span trace.Span + if tracing.IsInSpan(arg0) { + arg0, span = tracing.StartChildSpan( + arg0, + "", + fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "DeleteCollection"), + trace.WithAttributes( + tracing.KubeClientGroupKey.String(c.client), + tracing.KubeClientKindKey.String(c.kind), + tracing.KubeClientOperationKey.String("DeleteCollection"), + ), + ) + defer span.End() + } + ret0 := c.inner.DeleteCollection(arg0, arg1, arg2) + if span != nil { + tracing.SetSpanStatus(span, ret0) + } + return ret0 +} +func (c *withTracing) Get(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.GetOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, error) { + var span trace.Span + if tracing.IsInSpan(arg0) { + arg0, span = tracing.StartChildSpan( + arg0, + "", + fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Get"), + trace.WithAttributes( + tracing.KubeClientGroupKey.String(c.client), + tracing.KubeClientKindKey.String(c.kind), + tracing.KubeClientOperationKey.String("Get"), + ), + ) + defer span.End() + } + ret0, ret1 := c.inner.Get(arg0, arg1, arg2) + if span != nil { + tracing.SetSpanStatus(span, ret1) + } + return ret0, ret1 +} +func (c *withTracing) List(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicyList, error) { + var span trace.Span + if tracing.IsInSpan(arg0) { + arg0, span = tracing.StartChildSpan( + arg0, + "", + fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "List"), + trace.WithAttributes( + tracing.KubeClientGroupKey.String(c.client), + tracing.KubeClientKindKey.String(c.kind), + tracing.KubeClientOperationKey.String("List"), + ), + ) + defer span.End() + } + ret0, ret1 := c.inner.List(arg0, arg1) + if span != nil { + tracing.SetSpanStatus(span, ret1) + } + return ret0, ret1 +} +func (c *withTracing) Patch(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_types.PatchType, arg3 []uint8, arg4 k8s_io_apimachinery_pkg_apis_meta_v1.PatchOptions, arg5 ...string) (*github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, error) { + var span trace.Span + if tracing.IsInSpan(arg0) { + arg0, span = tracing.StartChildSpan( + arg0, + "", + fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Patch"), + trace.WithAttributes( + tracing.KubeClientGroupKey.String(c.client), + tracing.KubeClientKindKey.String(c.kind), + tracing.KubeClientOperationKey.String("Patch"), + ), + ) + defer span.End() + } + ret0, ret1 := c.inner.Patch(arg0, arg1, arg2, arg3, arg4, arg5...) + if span != nil { + tracing.SetSpanStatus(span, ret1) + } + return ret0, ret1 +} +func (c *withTracing) Update(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, error) { + var span trace.Span + if tracing.IsInSpan(arg0) { + arg0, span = tracing.StartChildSpan( + arg0, + "", + fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Update"), + trace.WithAttributes( + tracing.KubeClientGroupKey.String(c.client), + tracing.KubeClientKindKey.String(c.kind), + tracing.KubeClientOperationKey.String("Update"), + ), + ) + defer span.End() + } + ret0, ret1 := c.inner.Update(arg0, arg1, arg2) + if span != nil { + tracing.SetSpanStatus(span, ret1) + } + return ret0, ret1 +} +func (c *withTracing) UpdateStatus(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, error) { + var span trace.Span + if tracing.IsInSpan(arg0) { + arg0, span = tracing.StartChildSpan( + arg0, + "", + fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "UpdateStatus"), + trace.WithAttributes( + tracing.KubeClientGroupKey.String(c.client), + tracing.KubeClientKindKey.String(c.kind), + tracing.KubeClientOperationKey.String("UpdateStatus"), + ), + ) + defer span.End() + } + ret0, ret1 := c.inner.UpdateStatus(arg0, arg1, arg2) + if span != nil { + tracing.SetSpanStatus(span, ret1) + } + return ret0, ret1 +} +func (c *withTracing) Watch(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (k8s_io_apimachinery_pkg_watch.Interface, error) { + var span trace.Span + if tracing.IsInSpan(arg0) { + arg0, span = tracing.StartChildSpan( + arg0, + "", + fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Watch"), + trace.WithAttributes( + tracing.KubeClientGroupKey.String(c.client), + tracing.KubeClientKindKey.String(c.kind), + tracing.KubeClientOperationKey.String("Watch"), + ), + ) + defer span.End() + } + ret0, ret1 := c.inner.Watch(arg0, arg1) + if span != nil { + tracing.SetSpanStatus(span, ret1) + } + return ret0, ret1 +} diff --git a/pkg/clients/kyverno/kyvernov2/client.generated.go b/pkg/clients/kyverno/kyvernov2/client.generated.go index 7916acb602..e31b6a81c6 100644 --- a/pkg/clients/kyverno/kyvernov2/client.generated.go +++ b/pkg/clients/kyverno/kyvernov2/client.generated.go @@ -5,8 +5,10 @@ import ( github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v2" admissionreports "github.com/kyverno/kyverno/pkg/clients/kyverno/kyvernov2/admissionreports" backgroundscanreports "github.com/kyverno/kyverno/pkg/clients/kyverno/kyvernov2/backgroundscanreports" + cleanuppolicies "github.com/kyverno/kyverno/pkg/clients/kyverno/kyvernov2/cleanuppolicies" clusteradmissionreports "github.com/kyverno/kyverno/pkg/clients/kyverno/kyvernov2/clusteradmissionreports" clusterbackgroundscanreports "github.com/kyverno/kyverno/pkg/clients/kyverno/kyvernov2/clusterbackgroundscanreports" + clustercleanuppolicies "github.com/kyverno/kyverno/pkg/clients/kyverno/kyvernov2/clustercleanuppolicies" policyexceptions "github.com/kyverno/kyverno/pkg/clients/kyverno/kyvernov2/policyexceptions" "github.com/kyverno/kyverno/pkg/metrics" "k8s.io/client-go/rest" @@ -41,6 +43,10 @@ func (c *withMetrics) BackgroundScanReports(namespace string) github_com_kyverno recorder := metrics.NamespacedClientQueryRecorder(c.metrics, namespace, "BackgroundScanReport", c.clientType) return backgroundscanreports.WithMetrics(c.inner.BackgroundScanReports(namespace), recorder) } +func (c *withMetrics) CleanupPolicies(namespace string) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.CleanupPolicyInterface { + recorder := metrics.NamespacedClientQueryRecorder(c.metrics, namespace, "CleanupPolicy", c.clientType) + return cleanuppolicies.WithMetrics(c.inner.CleanupPolicies(namespace), recorder) +} func (c *withMetrics) ClusterAdmissionReports() github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.ClusterAdmissionReportInterface { recorder := metrics.ClusteredClientQueryRecorder(c.metrics, "ClusterAdmissionReport", c.clientType) return clusteradmissionreports.WithMetrics(c.inner.ClusterAdmissionReports(), recorder) @@ -49,6 +55,10 @@ func (c *withMetrics) ClusterBackgroundScanReports() github_com_kyverno_kyverno_ recorder := metrics.ClusteredClientQueryRecorder(c.metrics, "ClusterBackgroundScanReport", c.clientType) return clusterbackgroundscanreports.WithMetrics(c.inner.ClusterBackgroundScanReports(), recorder) } +func (c *withMetrics) ClusterCleanupPolicies() github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.ClusterCleanupPolicyInterface { + recorder := metrics.ClusteredClientQueryRecorder(c.metrics, "ClusterCleanupPolicy", c.clientType) + return clustercleanuppolicies.WithMetrics(c.inner.ClusterCleanupPolicies(), recorder) +} func (c *withMetrics) PolicyExceptions(namespace string) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.PolicyExceptionInterface { recorder := metrics.NamespacedClientQueryRecorder(c.metrics, namespace, "PolicyException", c.clientType) return policyexceptions.WithMetrics(c.inner.PolicyExceptions(namespace), recorder) @@ -68,12 +78,18 @@ func (c *withTracing) AdmissionReports(namespace string) github_com_kyverno_kyve func (c *withTracing) BackgroundScanReports(namespace string) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.BackgroundScanReportInterface { return backgroundscanreports.WithTracing(c.inner.BackgroundScanReports(namespace), c.client, "BackgroundScanReport") } +func (c *withTracing) CleanupPolicies(namespace string) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.CleanupPolicyInterface { + return cleanuppolicies.WithTracing(c.inner.CleanupPolicies(namespace), c.client, "CleanupPolicy") +} func (c *withTracing) ClusterAdmissionReports() github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.ClusterAdmissionReportInterface { return clusteradmissionreports.WithTracing(c.inner.ClusterAdmissionReports(), c.client, "ClusterAdmissionReport") } func (c *withTracing) ClusterBackgroundScanReports() github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.ClusterBackgroundScanReportInterface { return clusterbackgroundscanreports.WithTracing(c.inner.ClusterBackgroundScanReports(), c.client, "ClusterBackgroundScanReport") } +func (c *withTracing) ClusterCleanupPolicies() github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.ClusterCleanupPolicyInterface { + return clustercleanuppolicies.WithTracing(c.inner.ClusterCleanupPolicies(), c.client, "ClusterCleanupPolicy") +} func (c *withTracing) PolicyExceptions(namespace string) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.PolicyExceptionInterface { return policyexceptions.WithTracing(c.inner.PolicyExceptions(namespace), c.client, "PolicyException") } @@ -92,12 +108,18 @@ func (c *withLogging) AdmissionReports(namespace string) github_com_kyverno_kyve func (c *withLogging) BackgroundScanReports(namespace string) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.BackgroundScanReportInterface { return backgroundscanreports.WithLogging(c.inner.BackgroundScanReports(namespace), c.logger.WithValues("resource", "BackgroundScanReports").WithValues("namespace", namespace)) } +func (c *withLogging) CleanupPolicies(namespace string) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.CleanupPolicyInterface { + return cleanuppolicies.WithLogging(c.inner.CleanupPolicies(namespace), c.logger.WithValues("resource", "CleanupPolicies").WithValues("namespace", namespace)) +} func (c *withLogging) ClusterAdmissionReports() github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.ClusterAdmissionReportInterface { return clusteradmissionreports.WithLogging(c.inner.ClusterAdmissionReports(), c.logger.WithValues("resource", "ClusterAdmissionReports")) } func (c *withLogging) ClusterBackgroundScanReports() github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.ClusterBackgroundScanReportInterface { return clusterbackgroundscanreports.WithLogging(c.inner.ClusterBackgroundScanReports(), c.logger.WithValues("resource", "ClusterBackgroundScanReports")) } +func (c *withLogging) ClusterCleanupPolicies() github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.ClusterCleanupPolicyInterface { + return clustercleanuppolicies.WithLogging(c.inner.ClusterCleanupPolicies(), c.logger.WithValues("resource", "ClusterCleanupPolicies")) +} func (c *withLogging) PolicyExceptions(namespace string) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.PolicyExceptionInterface { return policyexceptions.WithLogging(c.inner.PolicyExceptions(namespace), c.logger.WithValues("resource", "PolicyExceptions").WithValues("namespace", namespace)) } diff --git a/pkg/clients/kyverno/kyvernov2/clustercleanuppolicies/resource.generated.go b/pkg/clients/kyverno/kyvernov2/clustercleanuppolicies/resource.generated.go new file mode 100644 index 0000000000..a14bee1d3f --- /dev/null +++ b/pkg/clients/kyverno/kyvernov2/clustercleanuppolicies/resource.generated.go @@ -0,0 +1,373 @@ +package resource + +import ( + context "context" + "fmt" + "time" + + "github.com/go-logr/logr" + github_com_kyverno_kyverno_api_kyverno_v2 "github.com/kyverno/kyverno/api/kyverno/v2" + github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v2" + "github.com/kyverno/kyverno/pkg/metrics" + "github.com/kyverno/kyverno/pkg/tracing" + "go.opentelemetry.io/otel/trace" + "go.uber.org/multierr" + k8s_io_apimachinery_pkg_apis_meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + k8s_io_apimachinery_pkg_types "k8s.io/apimachinery/pkg/types" + k8s_io_apimachinery_pkg_watch "k8s.io/apimachinery/pkg/watch" +) + +func WithLogging(inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.ClusterCleanupPolicyInterface, logger logr.Logger) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.ClusterCleanupPolicyInterface { + return &withLogging{inner, logger} +} + +func WithMetrics(inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.ClusterCleanupPolicyInterface, recorder metrics.Recorder) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.ClusterCleanupPolicyInterface { + return &withMetrics{inner, recorder} +} + +func WithTracing(inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.ClusterCleanupPolicyInterface, client, kind string) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.ClusterCleanupPolicyInterface { + return &withTracing{inner, client, kind} +} + +type withLogging struct { + inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.ClusterCleanupPolicyInterface + logger logr.Logger +} + +func (c *withLogging) Create(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, error) { + start := time.Now() + logger := c.logger.WithValues("operation", "Create") + ret0, ret1 := c.inner.Create(arg0, arg1, arg2) + if err := multierr.Combine(ret1); err != nil { + logger.Error(err, "Create failed", "duration", time.Since(start)) + } else { + logger.Info("Create done", "duration", time.Since(start)) + } + return ret0, ret1 +} +func (c *withLogging) Delete(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions) error { + start := time.Now() + logger := c.logger.WithValues("operation", "Delete") + ret0 := c.inner.Delete(arg0, arg1, arg2) + if err := multierr.Combine(ret0); err != nil { + logger.Error(err, "Delete failed", "duration", time.Since(start)) + } else { + logger.Info("Delete done", "duration", time.Since(start)) + } + return ret0 +} +func (c *withLogging) DeleteCollection(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) error { + start := time.Now() + logger := c.logger.WithValues("operation", "DeleteCollection") + ret0 := c.inner.DeleteCollection(arg0, arg1, arg2) + if err := multierr.Combine(ret0); err != nil { + logger.Error(err, "DeleteCollection failed", "duration", time.Since(start)) + } else { + logger.Info("DeleteCollection done", "duration", time.Since(start)) + } + return ret0 +} +func (c *withLogging) Get(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.GetOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, error) { + start := time.Now() + logger := c.logger.WithValues("operation", "Get") + ret0, ret1 := c.inner.Get(arg0, arg1, arg2) + if err := multierr.Combine(ret1); err != nil { + logger.Error(err, "Get failed", "duration", time.Since(start)) + } else { + logger.Info("Get done", "duration", time.Since(start)) + } + return ret0, ret1 +} +func (c *withLogging) List(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicyList, error) { + start := time.Now() + logger := c.logger.WithValues("operation", "List") + ret0, ret1 := c.inner.List(arg0, arg1) + if err := multierr.Combine(ret1); err != nil { + logger.Error(err, "List failed", "duration", time.Since(start)) + } else { + logger.Info("List done", "duration", time.Since(start)) + } + return ret0, ret1 +} +func (c *withLogging) Patch(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_types.PatchType, arg3 []uint8, arg4 k8s_io_apimachinery_pkg_apis_meta_v1.PatchOptions, arg5 ...string) (*github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, error) { + start := time.Now() + logger := c.logger.WithValues("operation", "Patch") + ret0, ret1 := c.inner.Patch(arg0, arg1, arg2, arg3, arg4, arg5...) + if err := multierr.Combine(ret1); err != nil { + logger.Error(err, "Patch failed", "duration", time.Since(start)) + } else { + logger.Info("Patch done", "duration", time.Since(start)) + } + return ret0, ret1 +} +func (c *withLogging) Update(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, error) { + start := time.Now() + logger := c.logger.WithValues("operation", "Update") + ret0, ret1 := c.inner.Update(arg0, arg1, arg2) + if err := multierr.Combine(ret1); err != nil { + logger.Error(err, "Update failed", "duration", time.Since(start)) + } else { + logger.Info("Update done", "duration", time.Since(start)) + } + return ret0, ret1 +} +func (c *withLogging) UpdateStatus(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, error) { + start := time.Now() + logger := c.logger.WithValues("operation", "UpdateStatus") + ret0, ret1 := c.inner.UpdateStatus(arg0, arg1, arg2) + if err := multierr.Combine(ret1); err != nil { + logger.Error(err, "UpdateStatus failed", "duration", time.Since(start)) + } else { + logger.Info("UpdateStatus done", "duration", time.Since(start)) + } + return ret0, ret1 +} +func (c *withLogging) Watch(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (k8s_io_apimachinery_pkg_watch.Interface, error) { + start := time.Now() + logger := c.logger.WithValues("operation", "Watch") + ret0, ret1 := c.inner.Watch(arg0, arg1) + if err := multierr.Combine(ret1); err != nil { + logger.Error(err, "Watch failed", "duration", time.Since(start)) + } else { + logger.Info("Watch done", "duration", time.Since(start)) + } + return ret0, ret1 +} + +type withMetrics struct { + inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.ClusterCleanupPolicyInterface + recorder metrics.Recorder +} + +func (c *withMetrics) Create(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, error) { + defer c.recorder.RecordWithContext(arg0, "create") + return c.inner.Create(arg0, arg1, arg2) +} +func (c *withMetrics) Delete(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions) error { + defer c.recorder.RecordWithContext(arg0, "delete") + return c.inner.Delete(arg0, arg1, arg2) +} +func (c *withMetrics) DeleteCollection(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) error { + defer c.recorder.RecordWithContext(arg0, "delete_collection") + return c.inner.DeleteCollection(arg0, arg1, arg2) +} +func (c *withMetrics) Get(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.GetOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, error) { + defer c.recorder.RecordWithContext(arg0, "get") + return c.inner.Get(arg0, arg1, arg2) +} +func (c *withMetrics) List(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicyList, error) { + defer c.recorder.RecordWithContext(arg0, "list") + return c.inner.List(arg0, arg1) +} +func (c *withMetrics) Patch(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_types.PatchType, arg3 []uint8, arg4 k8s_io_apimachinery_pkg_apis_meta_v1.PatchOptions, arg5 ...string) (*github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, error) { + defer c.recorder.RecordWithContext(arg0, "patch") + return c.inner.Patch(arg0, arg1, arg2, arg3, arg4, arg5...) +} +func (c *withMetrics) Update(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, error) { + defer c.recorder.RecordWithContext(arg0, "update") + return c.inner.Update(arg0, arg1, arg2) +} +func (c *withMetrics) UpdateStatus(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, error) { + defer c.recorder.RecordWithContext(arg0, "update_status") + return c.inner.UpdateStatus(arg0, arg1, arg2) +} +func (c *withMetrics) Watch(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (k8s_io_apimachinery_pkg_watch.Interface, error) { + defer c.recorder.RecordWithContext(arg0, "watch") + return c.inner.Watch(arg0, arg1) +} + +type withTracing struct { + inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.ClusterCleanupPolicyInterface + client string + kind string +} + +func (c *withTracing) Create(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, error) { + var span trace.Span + if tracing.IsInSpan(arg0) { + arg0, span = tracing.StartChildSpan( + arg0, + "", + fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Create"), + trace.WithAttributes( + tracing.KubeClientGroupKey.String(c.client), + tracing.KubeClientKindKey.String(c.kind), + tracing.KubeClientOperationKey.String("Create"), + ), + ) + defer span.End() + } + ret0, ret1 := c.inner.Create(arg0, arg1, arg2) + if span != nil { + tracing.SetSpanStatus(span, ret1) + } + return ret0, ret1 +} +func (c *withTracing) Delete(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions) error { + var span trace.Span + if tracing.IsInSpan(arg0) { + arg0, span = tracing.StartChildSpan( + arg0, + "", + fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Delete"), + trace.WithAttributes( + tracing.KubeClientGroupKey.String(c.client), + tracing.KubeClientKindKey.String(c.kind), + tracing.KubeClientOperationKey.String("Delete"), + ), + ) + defer span.End() + } + ret0 := c.inner.Delete(arg0, arg1, arg2) + if span != nil { + tracing.SetSpanStatus(span, ret0) + } + return ret0 +} +func (c *withTracing) DeleteCollection(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) error { + var span trace.Span + if tracing.IsInSpan(arg0) { + arg0, span = tracing.StartChildSpan( + arg0, + "", + fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "DeleteCollection"), + trace.WithAttributes( + tracing.KubeClientGroupKey.String(c.client), + tracing.KubeClientKindKey.String(c.kind), + tracing.KubeClientOperationKey.String("DeleteCollection"), + ), + ) + defer span.End() + } + ret0 := c.inner.DeleteCollection(arg0, arg1, arg2) + if span != nil { + tracing.SetSpanStatus(span, ret0) + } + return ret0 +} +func (c *withTracing) Get(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.GetOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, error) { + var span trace.Span + if tracing.IsInSpan(arg0) { + arg0, span = tracing.StartChildSpan( + arg0, + "", + fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Get"), + trace.WithAttributes( + tracing.KubeClientGroupKey.String(c.client), + tracing.KubeClientKindKey.String(c.kind), + tracing.KubeClientOperationKey.String("Get"), + ), + ) + defer span.End() + } + ret0, ret1 := c.inner.Get(arg0, arg1, arg2) + if span != nil { + tracing.SetSpanStatus(span, ret1) + } + return ret0, ret1 +} +func (c *withTracing) List(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicyList, error) { + var span trace.Span + if tracing.IsInSpan(arg0) { + arg0, span = tracing.StartChildSpan( + arg0, + "", + fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "List"), + trace.WithAttributes( + tracing.KubeClientGroupKey.String(c.client), + tracing.KubeClientKindKey.String(c.kind), + tracing.KubeClientOperationKey.String("List"), + ), + ) + defer span.End() + } + ret0, ret1 := c.inner.List(arg0, arg1) + if span != nil { + tracing.SetSpanStatus(span, ret1) + } + return ret0, ret1 +} +func (c *withTracing) Patch(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_types.PatchType, arg3 []uint8, arg4 k8s_io_apimachinery_pkg_apis_meta_v1.PatchOptions, arg5 ...string) (*github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, error) { + var span trace.Span + if tracing.IsInSpan(arg0) { + arg0, span = tracing.StartChildSpan( + arg0, + "", + fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Patch"), + trace.WithAttributes( + tracing.KubeClientGroupKey.String(c.client), + tracing.KubeClientKindKey.String(c.kind), + tracing.KubeClientOperationKey.String("Patch"), + ), + ) + defer span.End() + } + ret0, ret1 := c.inner.Patch(arg0, arg1, arg2, arg3, arg4, arg5...) + if span != nil { + tracing.SetSpanStatus(span, ret1) + } + return ret0, ret1 +} +func (c *withTracing) Update(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, error) { + var span trace.Span + if tracing.IsInSpan(arg0) { + arg0, span = tracing.StartChildSpan( + arg0, + "", + fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Update"), + trace.WithAttributes( + tracing.KubeClientGroupKey.String(c.client), + tracing.KubeClientKindKey.String(c.kind), + tracing.KubeClientOperationKey.String("Update"), + ), + ) + defer span.End() + } + ret0, ret1 := c.inner.Update(arg0, arg1, arg2) + if span != nil { + tracing.SetSpanStatus(span, ret1) + } + return ret0, ret1 +} +func (c *withTracing) UpdateStatus(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, error) { + var span trace.Span + if tracing.IsInSpan(arg0) { + arg0, span = tracing.StartChildSpan( + arg0, + "", + fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "UpdateStatus"), + trace.WithAttributes( + tracing.KubeClientGroupKey.String(c.client), + tracing.KubeClientKindKey.String(c.kind), + tracing.KubeClientOperationKey.String("UpdateStatus"), + ), + ) + defer span.End() + } + ret0, ret1 := c.inner.UpdateStatus(arg0, arg1, arg2) + if span != nil { + tracing.SetSpanStatus(span, ret1) + } + return ret0, ret1 +} +func (c *withTracing) Watch(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (k8s_io_apimachinery_pkg_watch.Interface, error) { + var span trace.Span + if tracing.IsInSpan(arg0) { + arg0, span = tracing.StartChildSpan( + arg0, + "", + fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Watch"), + trace.WithAttributes( + tracing.KubeClientGroupKey.String(c.client), + tracing.KubeClientKindKey.String(c.kind), + tracing.KubeClientOperationKey.String("Watch"), + ), + ) + defer span.End() + } + ret0, ret1 := c.inner.Watch(arg0, arg1) + if span != nil { + tracing.SetSpanStatus(span, ret1) + } + return ret0, ret1 +} diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/policy-pass-3.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/policy-pass-3.yaml index 9474a233f4..ae76685ce1 100644 --- a/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/policy-pass-3.yaml +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/policy-pass-3.yaml @@ -27,7 +27,7 @@ spec: kinds: - PolicyException generate: - apiVersion: kyverno.io/v2beta1 + apiVersion: kyverno.io/v2 kind: ClusterCleanupPolicy name: polex-{{ request.namespace }}-{{ request.object.metadata.name }}-{{ random('[0-9a-z]{8}') }} synchronize: false