mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-15 17:51:20 +00:00
Code Activity

update kyverno crd types.go

Browse source
This commit is contained in:
Shuting Zhao 2020-11-13 16:02:44 -08:00
parent 047b2b8739
commit 365dd6e408
11 changed files with 58 additions and 2506 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

626
charts/kyverno/crds/crds.yaml
View file

@ -219,6 +219,7 @@ spec:
description: Specifies resource namespace.
type: string
synchronize:
default: false
description: To keep resources synchronized with source
resource.
type: boolean
@ -406,7 +407,7 @@ spec:
description: Specifies conditions to deny validation.
properties:
conditions:
description: Specifies set of condition to deny validation.
description: Specifies set of condition to deny.
items:
description: Condition defines the evaluation condition.
properties:
@ -865,8 +866,6 @@ spec:
kind: ClusterReportChangeRequest
listKind: ClusterReportChangeRequestList
plural: clusterreportchangerequests
shortNames:
- cpol
singular: clusterreportchangerequest
scope: Cluster
versions:
@ -1570,6 +1569,7 @@ spec:
description: Specifies resource namespace.
type: string
synchronize:
default: false
description: To keep resources synchronized with source
resource.
type: boolean
@ -1757,7 +1757,7 @@ spec:
description: Specifies conditions to deny validation.
properties:
conditions:
description: Specifies set of condition to deny validation.
description: Specifies set of condition to deny.
items:
description: Condition defines the evaluation condition.
properties:
@ -2536,621 +2536,3 @@ status:
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: clusterpolicies.kyverno.io
spec:
additionalPrinterColumns:
- JSONPath: .spec.background
description: Background controls if rules are applied to existing resources during
a background scan.
name: Background
type: string
- JSONPath: .spec.validationFailureAction
description: ValidationFailureAction controls if a policy failure should disallow
(enforce) or allow and report (audit) the admission review request.
name: Validation Failure Action
type: string
group: kyverno.io
names:
kind: ClusterPolicy
plural: clusterpolicies
shortNames:
- cpol
singular: clusterpolicy
scope: Cluster
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
properties:
background:
type: boolean
rules:
items:
properties:
exclude:
properties:
clusterRoles:
items:
type: string
type: array
resources:
properties:
annotations:
additionalProperties:
type: string
type: object
kinds:
items:
type: string
type: array
name:
type: string
namespaces:
items:
type: string
type: array
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
roles:
items:
type: string
type: array
subjects:
items:
properties:
apiGroup:
type: string
kind:
type: string
name:
type: string
namespace:
type: string
required:
- kind
- name
type: object
type: array
type: object
generate:
properties:
apiVersion:
type: string
clone:
properties:
name:
type: string
namespace:
type: string
required:
- namespace
- name
type: object
data: {}
kind:
type: string
name:
type: string
namespace:
type: string
synchronize:
type: boolean
required:
- kind
- name
type: object
match:
properties:
clusterRoles:
items:
type: string
type: array
resources:
minProperties: 1
properties:
annotations:
additionalProperties:
type: string
type: object
kinds:
items:
type: string
type: array
name:
type: string
namespaces:
items:
type: string
type: array
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
roles:
items:
type: string
type: array
subjects:
items:
properties:
apiGroup:
type: string
kind:
type: string
name:
type: string
namespace:
type: string
required:
- kind
- name
type: object
type: array
required:
- resources
type: object
mutate:
properties:
overlay: {}
patchStrategicMerge: {}
patches:
items:
properties:
op:
enum:
- add
- replace
- remove
type: string
path:
type: string
value: {}
required:
- path
- op
type: object
type: array
patchesJson6902:
type: string
type: object
name:
type: string
preconditions:
items:
required:
- key
- operator
- value
type: object
type: array
validate:
properties:
anyPattern: {}
deny:
properties:
conditions:
items:
properties:
key:
type: string
operator:
enum:
- Equal
- Equals
- NotEqual
- NotEquals
- In
- NotIn
type: string
value:
anyOf:
- type: string
- items: {}
type: array
required:
- key
- operator
- value
type: object
type: array
message:
type: string
pattern: {}
type: object
required:
- name
- match
type: object
type: array
validationFailureAction:
enum:
- enforce
- audit
type: string
required:
- rules
status: {}
versions:
- name: v1
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: generaterequests.kyverno.io
spec:
additionalPrinterColumns:
- JSONPath: .spec.policy
description: The policy that resulted in the violation
name: Policy
type: string
- JSONPath: .spec.resource.kind
description: The resource kind that cause the violation
name: ResourceKind
type: string
- JSONPath: .spec.resource.name
description: The resource name that caused the violation
name: ResourceName
type: string
- JSONPath: .spec.resource.namespace
description: The resource namespace that caused the violation
name: ResourceNamespace
type: string
- JSONPath: .status.state
description: Current state of generate request
name: status
type: string
- JSONPath: .metadata.creationTimestamp
name: Age
type: date
group: kyverno.io
names:
kind: GenerateRequest
plural: generaterequests
shortNames:
- gr
singular: generaterequest
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
properties:
policy:
type: string
resource:
properties:
kind:
type: string
name:
type: string
namespace:
type: string
required:
- kind
- name
type: object
required:
- policy
- resource
versions:
- name: v1
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: policies.kyverno.io
spec:
additionalPrinterColumns:
- JSONPath: .spec.background
description: Background controls if rules are applied to existing resources during
a background scan.
name: Background
type: string
- JSONPath: .spec.validationFailureAction
description: ValidationFailureAction controls if a policy failure should disallow
(enforce) or allow and report (audit) the admission review request.
name: Validation Failure Action
type: string
group: kyverno.io
names:
kind: Policy
plural: policies
shortNames:
- pol
singular: policy
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
properties:
background:
type: boolean
rules:
items:
properties:
exclude:
properties:
clusterRoles:
items:
type: string
type: array
resources:
properties:
kinds:
items:
type: string
type: array
name:
type: string
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
roles:
items:
type: string
type: array
subjects:
items:
properties:
apiGroup:
type: string
kind:
type: string
name:
type: string
namespace:
type: string
required:
- kind
- name
type: object
type: array
type: object
generate:
properties:
apiVersion:
type: string
clone:
properties:
name:
type: string
namespace:
type: string
required:
- namespace
- name
type: object
data: {}
kind:
type: string
name:
type: string
namespace:
type: string
synchronize:
type: boolean
required:
- kind
- name
type: object
match:
properties:
clusterRoles:
items:
type: string
type: array
resources:
minProperties: 1
properties:
kinds:
items:
type: string
type: array
name:
type: string
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
roles:
items:
type: string
type: array
subjects:
items:
properties:
apiGroup:
type: string
kind:
type: string
name:
type: string
namespace:
type: string
required:
- kind
- name
type: object
type: array
required:
- resources
type: object
mutate:
properties:
overlay: {}
patchStrategicMerge: {}
patches:
items:
properties:
op:
enum:
- add
- replace
- remove
type: string
path:
type: string
value: {}
required:
- path
- op
type: object
type: array
patchesJson6902:
type: string
type: object
name:
type: string
preconditions:
items:
required:
- key
- operator
- value
type: object
type: array
validate:
properties:
anyPattern: {}
deny:
properties:
conditions:
items:
properties:
key:
type: string
operator:
enum:
- Equal
- Equals
- NotEqual
- NotEquals
- In
- NotIn
type: string
value:
anyOf:
- type: string
- items: {}
type: array
required:
- key
- operator
- value
type: object
type: array
message:
type: string
pattern: {}
type: object
required:
- name
- match
type: object
type: array
validationFailureAction:
enum:
- enforce
- audit
type: string
required:
- rules
status: {}
versions:
- name: v1
served: true
storage: true

615
definitions/crds/crds.yaml
View file

@ -1,615 +0,0 @@
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: clusterpolicies.kyverno.io
spec:
additionalPrinterColumns:
- JSONPath: .spec.background
description: Background controls if rules are applied to existing resources during a background scan.
name: Background
type: string
- JSONPath: .spec.validationFailureAction
description: ValidationFailureAction controls if a policy failure should disallow (enforce) or allow and report (audit) the admission review request.
name: Validation Failure Action
type: string
group: kyverno.io
versions:
- name: v1
served: true
storage: true
scope: Cluster
names:
kind: ClusterPolicy
plural: clusterpolicies
singular: clusterpolicy
shortNames:
- cpol
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
status: {}
spec:
required:
- rules
properties:
# default values to be handled by user
validationFailureAction:
type: string
enum:
- enforce # blocks the resorce api-reques if a rule fails.
- audit # allows resource creation and reports the failed validation rules as violations. Default
background:
type: boolean
rules:
type: array
items:
type: object
required:
- name
- match
properties:
name:
type: string
match:
type: object
required:
- resources
properties:
roles:
type: array
items:
type: string
clusterRoles:
type: array
items:
type: string
subjects:
type: array
items:
type: object
required:
- kind
- name
properties:
kind:
type: string
apiGroup:
type: string
name:
type: string
namespace:
type: string
resources:
type: object
minProperties: 1
properties:
kinds:
type: array
items:
type: string
name:
type: string
namespaces:
type: array
items:
type: string
annotations:
type: object
additionalProperties:
type: string
selector:
properties:
matchLabels:
type: object
additionalProperties:
type: string
matchExpressions:
type: array
items:
type: object
required:
- key
- operator
properties:
key:
type: string
operator:
type: string
values:
type: array
items:
type: string
exclude:
type: object
properties:
roles:
type: array
items:
type: string
clusterRoles:
type: array
items:
type: string
subjects:
type: array
items:
type: object
required:
- kind
- name
properties:
kind:
type: string
apiGroup:
type: string
name:
type: string
namespace:
type: string
resources:
type: object
properties:
kinds:
type: array
items:
type: string
name:
type: string
namespaces:
type: array
items:
type: string
annotations:
type: object
additionalProperties:
type: string
selector:
properties:
matchLabels:
type: object
additionalProperties:
type: string
matchExpressions:
type: array
items:
type: object
required:
- key
- operator
properties:
key:
type: string
operator:
type: string
values:
type: array
items:
type: string
preconditions:
type: array
items:
type: object
required:
- key # can be of any type
- operator # typed
- value # can be of any type
mutate:
type: object
properties:
overlay: {}
patchStrategicMerge: {}
patchesJson6902:
type: string
patches:
type: array
items:
type: object
required:
- path
- op
properties:
path:
type: string
op:
type: string
enum:
- add
- replace
- remove
value: {}
validate:
type: object
properties:
message:
type: string
pattern: {}
anyPattern: {}
deny:
properties:
conditions:
type: array
items:
type: object
required:
- key # can be of any type
- operator # typed
- value # can be of any type
properties:
operator:
type: string
enum:
- Equal
- Equals
- NotEqual
- NotEquals
- In
- NotIn
key:
type: string
value:
anyOf:
- type: string
- type: array
items: {}
generate:
type: object
required:
- kind
- name
properties:
apiVersion:
type: string
kind:
type: string
name:
type: string
namespace:
type: string
synchronize:
type: boolean
clone:
type: object
required:
- namespace
- name
properties:
namespace:
type: string
name:
type: string
data: {}
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: policies.kyverno.io
spec:
additionalPrinterColumns:
- JSONPath: .spec.background
description: Background controls if rules are applied to existing resources during a background scan.
name: Background
type: string
- JSONPath: .spec.validationFailureAction
description: ValidationFailureAction controls if a policy failure should disallow (enforce) or allow and report (audit) the admission review request.
name: Validation Failure Action
type: string
group: kyverno.io
versions:
- name: v1
served: true
storage: true
scope: Namespaced
names:
kind: Policy
plural: policies
singular: policy
shortNames:
- pol
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
status: {}
spec:
required:
- rules
properties:
# default values to be handled by user
validationFailureAction:
type: string
enum:
- enforce # blocks the resorce api-reques if a rule fails.
- audit # allows resource creation and reports the failed validation rules as violations. Default
background:
type: boolean
rules:
type: array
items:
type: object
required:
- name
- match
properties:
name:
type: string
match:
type: object
required:
- resources
properties:
roles:
type: array
items:
type: string
clusterRoles:
type: array
items:
type: string
subjects:
type: array
items:
type: object
required:
- kind
- name
properties:
kind:
type: string
apiGroup:
type: string
name:
type: string
namespace:
type: string
resources:
type: object
minProperties: 1
properties:
kinds:
type: array
items:
type: string
name:
type: string
selector:
properties:
matchLabels:
type: object
additionalProperties:
type: string
matchExpressions:
type: array
items:
type: object
required:
- key
- operator
properties:
key:
type: string
operator:
type: string
values:
type: array
items:
type: string
exclude:
type: object
properties:
roles:
type: array
items:
type: string
clusterRoles:
type: array
items:
type: string
subjects:
type: array
items:
type: object
required:
- kind
- name
properties:
kind:
type: string
apiGroup:
type: string
name:
type: string
namespace:
type: string
resources:
type: object
properties:
kinds:
type: array
items:
type: string
name:
type: string
selector:
properties:
matchLabels:
type: object
additionalProperties:
type: string
matchExpressions:
type: array
items:
type: object
required:
- key
- operator
properties:
key:
type: string
operator:
type: string
values:
type: array
items:
type: string
preconditions:
type: array
items:
type: object
required:
- key # can be of any type
- operator # typed
- value # can be of any type
mutate:
type: object
properties:
overlay: {}
patchStrategicMerge: {}
patchesJson6902:
type: string
patches:
type: array
items:
type: object
required:
- path
- op
properties:
path:
type: string
op:
type: string
enum:
- add
- replace
- remove
value: {}
validate:
type: object
properties:
message:
type: string
pattern: {}
anyPattern: {}
deny:
properties:
conditions:
type: array
items:
type: object
required:
- key # can be of any type
- operator # typed
- value # can be of any type
properties:
operator:
type: string
enum:
- Equal
- Equals
- NotEqual
- NotEquals
- In
- NotIn
key:
type: string
value:
anyOf:
- type: string
- type: array
items: {}
generate:
type: object
required:
- kind
- name
properties:
apiVersion:
type: string
kind:
type: string
name:
type: string
namespace:
type: string
synchronize:
type: boolean
clone:
type: object
required:
- namespace
- name
properties:
namespace:
type: string
name:
type: string
data: {}
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: generaterequests.kyverno.io
spec:
group: kyverno.io
versions:
- name: v1
served: true
storage: true
scope: Namespaced
names:
kind: GenerateRequest
plural: generaterequests
singular: generaterequest
shortNames:
- gr
subresources:
status: {}
additionalPrinterColumns:
- name: Policy
type: string
description: The policy that resulted in the violation
JSONPath: .spec.policy
- name: ResourceKind
type: string
description: The resource kind that cause the violation
JSONPath: .spec.resource.kind
- name: ResourceName
type: string
description: The resource name that caused the violation
JSONPath: .spec.resource.name
- name: ResourceNamespace
type: string
description: The resource namespace that caused the violation
JSONPath: .spec.resource.namespace
- name: status
type : string
description: Current state of generate request
JSONPath: .status.state
- name: Age
type: date
JSONPath: .metadata.creationTimestamp
validation:
openAPIV3Schema:
properties:
spec:
required:
- policy
- resource
properties:
policy:
type: string
resource:
type: object
required:
- kind
- name
properties:
kind:
type: string
name:
type: string
namespace:
type: string

1
definitions/crds/kustomization.yaml
View file

@ -2,7 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./crds.yaml
- ./kyverno.io_clusterpolicies.yaml
- ./kyverno.io_clusterreportchangerequests.yaml
- ./kyverno.io_generaterequests.yaml

3
definitions/crds/kyverno.io_clusterpolicies.yaml
View file

@ -221,6 +221,7 @@ spec:
description: Specifies resource namespace.
type: string
synchronize:
default: false
description: To keep resources synchronized with source
resource.
type: boolean
@ -408,7 +409,7 @@ spec:
description: Specifies conditions to deny validation.
properties:
conditions:
description: Specifies set of condition to deny validation.
description: Specifies set of condition to deny.
items:
description: Condition defines the evaluation condition.
properties:

2
definitions/crds/kyverno.io_clusterreportchangerequests.yaml
View file

@ -13,8 +13,6 @@ spec:
kind: ClusterReportChangeRequest
listKind: ClusterReportChangeRequestList
plural: clusterreportchangerequests
shortNames:
- cpol
singular: clusterreportchangerequest
scope: Cluster
versions:

3
definitions/crds/kyverno.io_policies.yaml
View file

@ -221,6 +221,7 @@ spec:
description: Specifies resource namespace.
type: string
synchronize:
default: false
description: To keep resources synchronized with source
resource.
type: boolean
@ -408,7 +409,7 @@ spec:
description: Specifies conditions to deny validation.
properties:
conditions:
description: Specifies set of condition to deny validation.
description: Specifies set of condition to deny.
items:
description: Condition defines the evaluation condition.
properties:

630
definitions/install.yaml Executable file → Normal file
View file

@ -224,6 +224,7 @@ spec:
description: Specifies resource namespace.
type: string
synchronize:
default: false
description: To keep resources synchronized with source
resource.
type: boolean
@ -411,7 +412,7 @@ spec:
description: Specifies conditions to deny validation.
properties:
conditions:
description: Specifies set of condition to deny validation.
description: Specifies set of condition to deny.
items:
description: Condition defines the evaluation condition.
properties:
@ -870,8 +871,6 @@ spec:
kind: ClusterReportChangeRequest
listKind: ClusterReportChangeRequestList
plural: clusterreportchangerequests
shortNames:
- cpol
singular: clusterreportchangerequest
scope: Cluster
versions:
@ -1575,6 +1574,7 @@ spec:
description: Specifies resource namespace.
type: string
synchronize:
default: false
description: To keep resources synchronized with source
resource.
type: boolean
@ -1762,7 +1762,7 @@ spec:
description: Specifies conditions to deny validation.
properties:
conditions:
description: Specifies set of condition to deny validation.
description: Specifies set of condition to deny.
items:
description: Condition defines the evaluation condition.
properties:
@ -2542,624 +2542,6 @@ status:
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: clusterpolicies.kyverno.io
spec:
additionalPrinterColumns:
- JSONPath: .spec.background
description: Background controls if rules are applied to existing resources during
a background scan.
name: Background
type: string
- JSONPath: .spec.validationFailureAction
description: ValidationFailureAction controls if a policy failure should disallow
(enforce) or allow and report (audit) the admission review request.
name: Validation Failure Action
type: string
group: kyverno.io
names:
kind: ClusterPolicy
plural: clusterpolicies
shortNames:
- cpol
singular: clusterpolicy
scope: Cluster
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
properties:
background:
type: boolean
rules:
items:
properties:
exclude:
properties:
clusterRoles:
items:
type: string
type: array
resources:
properties:
annotations:
additionalProperties:
type: string
type: object
kinds:
items:
type: string
type: array
name:
type: string
namespaces:
items:
type: string
type: array
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
roles:
items:
type: string
type: array
subjects:
items:
properties:
apiGroup:
type: string
kind:
type: string
name:
type: string
namespace:
type: string
required:
- kind
- name
type: object
type: array
type: object
generate:
properties:
apiVersion:
type: string
clone:
properties:
name:
type: string
namespace:
type: string
required:
- namespace
- name
type: object
data: {}
kind:
type: string
name:
type: string
namespace:
type: string
synchronize:
type: boolean
required:
- kind
- name
type: object
match:
properties:
clusterRoles:
items:
type: string
type: array
resources:
minProperties: 1
properties:
annotations:
additionalProperties:
type: string
type: object
kinds:
items:
type: string
type: array
name:
type: string
namespaces:
items:
type: string
type: array
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
roles:
items:
type: string
type: array
subjects:
items:
properties:
apiGroup:
type: string
kind:
type: string
name:
type: string
namespace:
type: string
required:
- kind
- name
type: object
type: array
required:
- resources
type: object
mutate:
properties:
overlay: {}
patchStrategicMerge: {}
patches:
items:
properties:
op:
enum:
- add
- replace
- remove
type: string
path:
type: string
value: {}
required:
- path
- op
type: object
type: array
patchesJson6902:
type: string
type: object
name:
type: string
preconditions:
items:
required:
- key
- operator
- value
type: object
type: array
validate:
properties:
anyPattern: {}
deny:
properties:
conditions:
items:
properties:
key:
type: string
operator:
enum:
- Equal
- Equals
- NotEqual
- NotEquals
- In
- NotIn
type: string
value:
anyOf:
- type: string
- items: {}
type: array
required:
- key
- operator
- value
type: object
type: array
message:
type: string
pattern: {}
type: object
required:
- name
- match
type: object
type: array
validationFailureAction:
enum:
- enforce
- audit
type: string
required:
- rules
status: {}
versions:
- name: v1
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: generaterequests.kyverno.io
spec:
additionalPrinterColumns:
- JSONPath: .spec.policy
description: The policy that resulted in the violation
name: Policy
type: string
- JSONPath: .spec.resource.kind
description: The resource kind that cause the violation
name: ResourceKind
type: string
- JSONPath: .spec.resource.name
description: The resource name that caused the violation
name: ResourceName
type: string
- JSONPath: .spec.resource.namespace
description: The resource namespace that caused the violation
name: ResourceNamespace
type: string
- JSONPath: .status.state
description: Current state of generate request
name: status
type: string
- JSONPath: .metadata.creationTimestamp
name: Age
type: date
group: kyverno.io
names:
kind: GenerateRequest
plural: generaterequests
shortNames:
- gr
singular: generaterequest
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
properties:
policy:
type: string
resource:
properties:
kind:
type: string
name:
type: string
namespace:
type: string
required:
- kind
- name
type: object
required:
- policy
- resource
versions:
- name: v1
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: policies.kyverno.io
spec:
additionalPrinterColumns:
- JSONPath: .spec.background
description: Background controls if rules are applied to existing resources during
a background scan.
name: Background
type: string
- JSONPath: .spec.validationFailureAction
description: ValidationFailureAction controls if a policy failure should disallow
(enforce) or allow and report (audit) the admission review request.
name: Validation Failure Action
type: string
group: kyverno.io
names:
kind: Policy
plural: policies
shortNames:
- pol
singular: policy
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
properties:
background:
type: boolean
rules:
items:
properties:
exclude:
properties:
clusterRoles:
items:
type: string
type: array
resources:
properties:
kinds:
items:
type: string
type: array
name:
type: string
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
roles:
items:
type: string
type: array
subjects:
items:
properties:
apiGroup:
type: string
kind:
type: string
name:
type: string
namespace:
type: string
required:
- kind
- name
type: object
type: array
type: object
generate:
properties:
apiVersion:
type: string
clone:
properties:
name:
type: string
namespace:
type: string
required:
- namespace
- name
type: object
data: {}
kind:
type: string
name:
type: string
namespace:
type: string
synchronize:
type: boolean
required:
- kind
- name
type: object
match:
properties:
clusterRoles:
items:
type: string
type: array
resources:
minProperties: 1
properties:
kinds:
items:
type: string
type: array
name:
type: string
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
roles:
items:
type: string
type: array
subjects:
items:
properties:
apiGroup:
type: string
kind:
type: string
name:
type: string
namespace:
type: string
required:
- kind
- name
type: object
type: array
required:
- resources
type: object
mutate:
properties:
overlay: {}
patchStrategicMerge: {}
patches:
items:
properties:
op:
enum:
- add
- replace
- remove
type: string
path:
type: string
value: {}
required:
- path
- op
type: object
type: array
patchesJson6902:
type: string
type: object
name:
type: string
preconditions:
items:
required:
- key
- operator
- value
type: object
type: array
validate:
properties:
anyPattern: {}
deny:
properties:
conditions:
items:
properties:
key:
type: string
operator:
enum:
- Equal
- Equals
- NotEqual
- NotEquals
- In
- NotIn
type: string
value:
anyOf:
- type: string
- items: {}
type: array
required:
- key
- operator
- value
type: object
type: array
message:
type: string
pattern: {}
type: object
required:
- name
- match
type: object
type: array
validationFailureAction:
enum:
- enforce
- audit
type: string
required:
- rules
status: {}
versions:
- name: v1
served: true
storage: true
---
apiVersion: v1
kind: ServiceAccount
metadata:
@ -3563,8 +2945,8 @@ spec:
fieldPath: metadata.namespace
- name: KYVERNO_SVC
value: kyverno-svc
image: nirmata/kyverno:v1.3.0-rc1
imagePullPolicy: Always
image: nirmata/kyverno:latest
imagePullPolicy: Never
livenessProbe:
failureThreshold: 4
httpGet:

626
definitions/install_debug.yaml
View file

@ -224,6 +224,7 @@ spec:
description: Specifies resource namespace.
type: string
synchronize:
default: false
description: To keep resources synchronized with source
resource.
type: boolean
@ -411,7 +412,7 @@ spec:
description: Specifies conditions to deny validation.
properties:
conditions:
description: Specifies set of condition to deny validation.
description: Specifies set of condition to deny.
items:
description: Condition defines the evaluation condition.
properties:
@ -870,8 +871,6 @@ spec:
kind: ClusterReportChangeRequest
listKind: ClusterReportChangeRequestList
plural: clusterreportchangerequests
shortNames:
- cpol
singular: clusterreportchangerequest
scope: Cluster
versions:
@ -1575,6 +1574,7 @@ spec:
description: Specifies resource namespace.
type: string
synchronize:
default: false
description: To keep resources synchronized with source
resource.
type: boolean
@ -1762,7 +1762,7 @@ spec:
description: Specifies conditions to deny validation.
properties:
conditions:
description: Specifies set of condition to deny validation.
description: Specifies set of condition to deny.
items:
description: Condition defines the evaluation condition.
properties:
@ -2542,624 +2542,6 @@ status:
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: clusterpolicies.kyverno.io
spec:
additionalPrinterColumns:
- JSONPath: .spec.background
description: Background controls if rules are applied to existing resources during
a background scan.
name: Background
type: string
- JSONPath: .spec.validationFailureAction
description: ValidationFailureAction controls if a policy failure should disallow
(enforce) or allow and report (audit) the admission review request.
name: Validation Failure Action
type: string
group: kyverno.io
names:
kind: ClusterPolicy
plural: clusterpolicies
shortNames:
- cpol
singular: clusterpolicy
scope: Cluster
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
properties:
background:
type: boolean
rules:
items:
properties:
exclude:
properties:
clusterRoles:
items:
type: string
type: array
resources:
properties:
annotations:
additionalProperties:
type: string
type: object
kinds:
items:
type: string
type: array
name:
type: string
namespaces:
items:
type: string
type: array
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
roles:
items:
type: string
type: array
subjects:
items:
properties:
apiGroup:
type: string
kind:
type: string
name:
type: string
namespace:
type: string
required:
- kind
- name
type: object
type: array
type: object
generate:
properties:
apiVersion:
type: string
clone:
properties:
name:
type: string
namespace:
type: string
required:
- namespace
- name
type: object
data: {}
kind:
type: string
name:
type: string
namespace:
type: string
synchronize:
type: boolean
required:
- kind
- name
type: object
match:
properties:
clusterRoles:
items:
type: string
type: array
resources:
minProperties: 1
properties:
annotations:
additionalProperties:
type: string
type: object
kinds:
items:
type: string
type: array
name:
type: string
namespaces:
items:
type: string
type: array
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
roles:
items:
type: string
type: array
subjects:
items:
properties:
apiGroup:
type: string
kind:
type: string
name:
type: string
namespace:
type: string
required:
- kind
- name
type: object
type: array
required:
- resources
type: object
mutate:
properties:
overlay: {}
patchStrategicMerge: {}
patches:
items:
properties:
op:
enum:
- add
- replace
- remove
type: string
path:
type: string
value: {}
required:
- path
- op
type: object
type: array
patchesJson6902:
type: string
type: object
name:
type: string
preconditions:
items:
required:
- key
- operator
- value
type: object
type: array
validate:
properties:
anyPattern: {}
deny:
properties:
conditions:
items:
properties:
key:
type: string
operator:
enum:
- Equal
- Equals
- NotEqual
- NotEquals
- In
- NotIn
type: string
value:
anyOf:
- type: string
- items: {}
type: array
required:
- key
- operator
- value
type: object
type: array
message:
type: string
pattern: {}
type: object
required:
- name
- match
type: object
type: array
validationFailureAction:
enum:
- enforce
- audit
type: string
required:
- rules
status: {}
versions:
- name: v1
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: generaterequests.kyverno.io
spec:
additionalPrinterColumns:
- JSONPath: .spec.policy
description: The policy that resulted in the violation
name: Policy
type: string
- JSONPath: .spec.resource.kind
description: The resource kind that cause the violation
name: ResourceKind
type: string
- JSONPath: .spec.resource.name
description: The resource name that caused the violation
name: ResourceName
type: string
- JSONPath: .spec.resource.namespace
description: The resource namespace that caused the violation
name: ResourceNamespace
type: string
- JSONPath: .status.state
description: Current state of generate request
name: status
type: string
- JSONPath: .metadata.creationTimestamp
name: Age
type: date
group: kyverno.io
names:
kind: GenerateRequest
plural: generaterequests
shortNames:
- gr
singular: generaterequest
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
properties:
policy:
type: string
resource:
properties:
kind:
type: string
name:
type: string
namespace:
type: string
required:
- kind
- name
type: object
required:
- policy
- resource
versions:
- name: v1
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: policies.kyverno.io
spec:
additionalPrinterColumns:
- JSONPath: .spec.background
description: Background controls if rules are applied to existing resources during
a background scan.
name: Background
type: string
- JSONPath: .spec.validationFailureAction
description: ValidationFailureAction controls if a policy failure should disallow
(enforce) or allow and report (audit) the admission review request.
name: Validation Failure Action
type: string
group: kyverno.io
names:
kind: Policy
plural: policies
shortNames:
- pol
singular: policy
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
properties:
background:
type: boolean
rules:
items:
properties:
exclude:
properties:
clusterRoles:
items:
type: string
type: array
resources:
properties:
kinds:
items:
type: string
type: array
name:
type: string
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
roles:
items:
type: string
type: array
subjects:
items:
properties:
apiGroup:
type: string
kind:
type: string
name:
type: string
namespace:
type: string
required:
- kind
- name
type: object
type: array
type: object
generate:
properties:
apiVersion:
type: string
clone:
properties:
name:
type: string
namespace:
type: string
required:
- namespace
- name
type: object
data: {}
kind:
type: string
name:
type: string
namespace:
type: string
synchronize:
type: boolean
required:
- kind
- name
type: object
match:
properties:
clusterRoles:
items:
type: string
type: array
resources:
minProperties: 1
properties:
kinds:
items:
type: string
type: array
name:
type: string
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
roles:
items:
type: string
type: array
subjects:
items:
properties:
apiGroup:
type: string
kind:
type: string
name:
type: string
namespace:
type: string
required:
- kind
- name
type: object
type: array
required:
- resources
type: object
mutate:
properties:
overlay: {}
patchStrategicMerge: {}
patches:
items:
properties:
op:
enum:
- add
- replace
- remove
type: string
path:
type: string
value: {}
required:
- path
- op
type: object
type: array
patchesJson6902:
type: string
type: object
name:
type: string
preconditions:
items:
required:
- key
- operator
- value
type: object
type: array
validate:
properties:
anyPattern: {}
deny:
properties:
conditions:
items:
properties:
key:
type: string
operator:
enum:
- Equal
- Equals
- NotEqual
- NotEquals
- In
- NotIn
type: string
value:
anyOf:
- type: string
- items: {}
type: array
required:
- key
- operator
- value
type: object
type: array
message:
type: string
pattern: {}
type: object
required:
- name
- match
type: object
type: array
validationFailureAction:
enum:
- enforce
- audit
type: string
required:
- rules
status: {}
versions:
- name: v1
served: true
storage: true
---
apiVersion: v1
kind: ServiceAccount
metadata:

20
pkg/api/kyverno/v1/policy_types.go
View file

@ -243,8 +243,9 @@ type Validation struct {
Deny *Deny `json:"deny,omitempty" yaml:"deny,omitempty"`
}
// Deny specifies list of deny patterns.
type Deny struct {
// Specifies set of condition to deny validation.
// Specifies set of condition to deny.
Conditions []Condition `json:"conditions,omitempty" yaml:"conditions,omitempty"`
}
@ -253,6 +254,7 @@ type Generation struct {
ResourceSpec `json:",omitempty" yaml:",omitempty"`
// To keep resources synchronized with source resource.
// +kubebuilder:default=false
// +optional
Synchronize bool `json:"synchronize,omitempty" yaml:"synchronize,omitempty"`
@ -358,19 +360,3 @@ type ResourceSpec struct {
// Specifies resource name.
Name string `json:"name,omitempty" yaml:"name,omitempty"`
}
// ViolatedRule stores the information regarding the rule.
type ViolatedRule struct {
// Specifies violated rule name.
Name string `json:"name" yaml:"name"`
// Specifies violated rule type.
Type string `json:"type" yaml:"type"`
// Specifies violation message.
// +optional
Message string `json:"message" yaml:"message"`
// +optional
Check string `json:"check" yaml:"check"`
}

36
pkg/api/kyverno/v1/utils.go
View file

@ -1,6 +1,7 @@
package v1
import (
"encoding/json"
"reflect"
)
@ -43,6 +44,25 @@ func (r Rule) HasGenerate() bool {
return !reflect.DeepEqual(r.Generation, Generation{})
}
// DeserializeAnyPattern deserialize apiextensions.JSON to []interface{}
func (in *Validation) DeserializeAnyPattern() ([]interface{}, error) {
if in.AnyPattern == nil {
return nil, nil
}
anyPattern, err := json.Marshal(in.AnyPattern)
if err != nil {
return nil, err
}
var res []interface{}
if err := json.Unmarshal(anyPattern, &res); err != nil {
return nil, err
}
return res, nil
}
// DeepCopyInto is declared because k8s:deepcopy-gen is
// not able to generate this method for interface{} member
func (in *Mutation) DeepCopyInto(out *Mutation) {
@ -87,3 +107,19 @@ func (cond *Condition) DeepCopyInto(out *Condition) {
func (rs ResourceSpec) ToKey() string {
return rs.Kind + "." + rs.Name
}
// ViolatedRule stores the information regarding the rule.
type ViolatedRule struct {
// Specifies violated rule name.
Name string `json:"name" yaml:"name"`
// Specifies violated rule type.
Type string `json:"type" yaml:"type"`
// Specifies violation message.
// +optional
Message string `json:"message" yaml:"message"`
// +optional
Check string `json:"check" yaml:"check"`
}

2
pkg/api/kyverno/v1alpha1/clusterreportchangerequest_types.go
View file

@ -29,7 +29,7 @@ import (
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +genclient:nonNamespaced
// +kubebuilder:object:root=true
// +kubebuilder:resource:path=clusterreportchangerequests,scope="Cluster",shortName=cpol
// +kubebuilder:resource:path=clusterreportchangerequests,scope="Cluster"
// +kubebuilder:printcolumn:name="Kind",type=string,JSONPath=`.scope.kind`,priority=1
// +kubebuilder:printcolumn:name="Name",type=string,JSONPath=`.scope.name`,priority=1
// +kubebuilder:printcolumn:name="Pass",type=integer,JSONPath=`.summary.pass`