mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
Code Activity

feat: add matchlabel selector support with multiple clone (#4713)

Browse source 
Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
This commit is contained in:
Prateek Pandey 2022-09-28 21:14:38 +05:30 committed by GitHub
parent c28c0f2f42
commit 38c252952d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
10 changed files with 1947 additions and 3061 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
api/kyverno/v1/common_types.go
View file

@ -6,6 +6,7 @@ import (
"github.com/sigstore/k8s-manifest-sigstore/pkg/k8smanifest" "github.com/sigstore/k8s-manifest-sigstore/pkg/k8smanifest"
"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions" "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/pod-security-admission/api" "k8s.io/pod-security-admission/api"
) )
@ -496,6 +497,11 @@ type CloneList struct {
// Kinds is a list of resource kinds. // Kinds is a list of resource kinds.
Kinds []string `json:"kinds,omitempty" yaml:"kinds,omitempty"` Kinds []string `json:"kinds,omitempty" yaml:"kinds,omitempty"`
// Selector is a label selector. Label keys and values in `matchLabels`.
// wildcard characters are not supported.
// +optional
Selector *metav1.LabelSelector `json:"selector,omitempty" yaml:"selector,omitempty"`
} }
func (g *Generation) GetData() apiextensions.JSON { func (g *Generation) GetData() apiextensions.JSON {

5
api/kyverno/v1/zz_generated.deepcopy.go
View file

@ -259,6 +259,11 @@ func (in *CloneList) DeepCopyInto(out *CloneList) {
*out = make([]string, len(*in)) *out = make([]string, len(*in))
copy(*out, *in) copy(*out, *in)
} }
if in.Selector != nil {
in, out := &in.Selector, &out.Selector
*out = new(metav1.LabelSelector)
(*in).DeepCopyInto(*out)
}
} }
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CloneList. // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CloneList.

248
charts/kyverno/templates/crds.yaml
View file

@ -1508,6 +1508,37 @@ spec:
namespace: namespace:
description: Namespace specifies source resource namespace. description: Namespace specifies source resource namespace.
type: string type: string
selector:
description: Selector is a label selector. Label keys and values in `matchLabels`. wildcard characters are not supported.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object type: object
data: data:
description: Data provides the resource declaration used to populate each generated resource. At most one of Data or Clone must be specified. If neither are provided, the generated resource will be created with default data only. description: Data provides the resource declaration used to populate each generated resource. At most one of Data or Clone must be specified. If neither are provided, the generated resource will be created with default data only.
@ -3197,6 +3228,37 @@ spec:
namespace: namespace:
description: Namespace specifies source resource namespace. description: Namespace specifies source resource namespace.
type: string type: string
selector:
description: Selector is a label selector. Label keys and values in `matchLabels`. wildcard characters are not supported.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object type: object
data: data:
description: Data provides the resource declaration used to populate each generated resource. At most one of Data or Clone must be specified. If neither are provided, the generated resource will be created with default data only. description: Data provides the resource declaration used to populate each generated resource. At most one of Data or Clone must be specified. If neither are provided, the generated resource will be created with default data only.
@ -4838,6 +4900,37 @@ spec:
namespace: namespace:
description: Namespace specifies source resource namespace. description: Namespace specifies source resource namespace.
type: string type: string
selector:
description: Selector is a label selector. Label keys and values in `matchLabels`. wildcard characters are not supported.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object type: object
data: data:
description: Data provides the resource declaration used to populate each generated resource. At most one of Data or Clone must be specified. If neither are provided, the generated resource will be created with default data only. description: Data provides the resource declaration used to populate each generated resource. At most one of Data or Clone must be specified. If neither are provided, the generated resource will be created with default data only.
@ -6502,6 +6595,37 @@ spec:
namespace: namespace:
description: Namespace specifies source resource namespace. description: Namespace specifies source resource namespace.
type: string type: string
selector:
description: Selector is a label selector. Label keys and values in `matchLabels`. wildcard characters are not supported.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object type: object
data: data:
description: Data provides the resource declaration used to populate each generated resource. At most one of Data or Clone must be specified. If neither are provided, the generated resource will be created with default data only. description: Data provides the resource declaration used to populate each generated resource. At most one of Data or Clone must be specified. If neither are provided, the generated resource will be created with default data only.
@ -8739,6 +8863,37 @@ spec:
namespace: namespace:
description: Namespace specifies source resource namespace. description: Namespace specifies source resource namespace.
type: string type: string
selector:
description: Selector is a label selector. Label keys and values in `matchLabels`. wildcard characters are not supported.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object type: object
data: data:
description: Data provides the resource declaration used to populate each generated resource. At most one of Data or Clone must be specified. If neither are provided, the generated resource will be created with default data only. description: Data provides the resource declaration used to populate each generated resource. At most one of Data or Clone must be specified. If neither are provided, the generated resource will be created with default data only.
@ -10428,6 +10583,37 @@ spec:
namespace: namespace:
description: Namespace specifies source resource namespace. description: Namespace specifies source resource namespace.
type: string type: string
selector:
description: Selector is a label selector. Label keys and values in `matchLabels`. wildcard characters are not supported.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object type: object
data: data:
description: Data provides the resource declaration used to populate each generated resource. At most one of Data or Clone must be specified. If neither are provided, the generated resource will be created with default data only. description: Data provides the resource declaration used to populate each generated resource. At most one of Data or Clone must be specified. If neither are provided, the generated resource will be created with default data only.
@ -12069,6 +12255,37 @@ spec:
namespace: namespace:
description: Namespace specifies source resource namespace. description: Namespace specifies source resource namespace.
type: string type: string
selector:
description: Selector is a label selector. Label keys and values in `matchLabels`. wildcard characters are not supported.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object type: object
data: data:
description: Data provides the resource declaration used to populate each generated resource. At most one of Data or Clone must be specified. If neither are provided, the generated resource will be created with default data only. description: Data provides the resource declaration used to populate each generated resource. At most one of Data or Clone must be specified. If neither are provided, the generated resource will be created with default data only.
@ -13733,6 +13950,37 @@ spec:
namespace: namespace:
description: Namespace specifies source resource namespace. description: Namespace specifies source resource namespace.
type: string type: string
selector:
description: Selector is a label selector. Label keys and values in `matchLabels`. wildcard characters are not supported.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object type: object
data: data:
description: Data provides the resource declaration used to populate each generated resource. At most one of Data or Clone must be specified. If neither are provided, the generated resource will be created with default data only. description: Data provides the resource declaration used to populate each generated resource. At most one of Data or Clone must be specified. If neither are provided, the generated resource will be created with default data only.

204
config/crds/kyverno.io_clusterpolicies.yaml
View file

@ -853,6 +853,55 @@ spec:
namespace: namespace:
description: Namespace specifies source resource namespace. description: Namespace specifies source resource namespace.
type: string type: string
selector:
description: Selector is a label selector. Label keys
and values in `matchLabels`. wildcard characters are
not supported.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object type: object
data: data:
description: Data provides the resource declaration used description: Data provides the resource declaration used
@ -3583,6 +3632,59 @@ spec:
description: Namespace specifies source resource description: Namespace specifies source resource
namespace. namespace.
type: string type: string
selector:
description: Selector is a label selector. Label
keys and values in `matchLabels`. wildcard characters
are not supported.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: A label selector requirement
is a selector that contains values, a key,
and an operator that relates the key and
values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: operator represents a key's
relationship to a set of values. Valid
operators are In, NotIn, Exists and
DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty.
If the operator is Exists or DoesNotExist,
the values array must be empty. This
array is replaced during a strategic
merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is
"In", and the values array contains only "value".
The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object type: object
data: data:
description: Data provides the resource declaration description: Data provides the resource declaration
@ -6258,6 +6360,55 @@ spec:
namespace: namespace:
description: Namespace specifies source resource namespace. description: Namespace specifies source resource namespace.
type: string type: string
selector:
description: Selector is a label selector. Label keys
and values in `matchLabels`. wildcard characters are
not supported.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object type: object
data: data:
description: Data provides the resource declaration used description: Data provides the resource declaration used
@ -8918,6 +9069,59 @@ spec:
description: Namespace specifies source resource description: Namespace specifies source resource
namespace. namespace.
type: string type: string
selector:
description: Selector is a label selector. Label
keys and values in `matchLabels`. wildcard characters
are not supported.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: A label selector requirement
is a selector that contains values, a key,
and an operator that relates the key and
values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: operator represents a key's
relationship to a set of values. Valid
operators are In, NotIn, Exists and
DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty.
If the operator is Exists or DoesNotExist,
the values array must be empty. This
array is replaced during a strategic
merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is
"In", and the values array contains only "value".
The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object type: object
data: data:
description: Data provides the resource declaration description: Data provides the resource declaration

204
config/crds/kyverno.io_policies.yaml
View file

@ -854,6 +854,55 @@ spec:
namespace: namespace:
description: Namespace specifies source resource namespace. description: Namespace specifies source resource namespace.
type: string type: string
selector:
description: Selector is a label selector. Label keys
and values in `matchLabels`. wildcard characters are
not supported.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object type: object
data: data:
description: Data provides the resource declaration used description: Data provides the resource declaration used
@ -3585,6 +3634,59 @@ spec:
description: Namespace specifies source resource description: Namespace specifies source resource
namespace. namespace.
type: string type: string
selector:
description: Selector is a label selector. Label
keys and values in `matchLabels`. wildcard characters
are not supported.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: A label selector requirement
is a selector that contains values, a key,
and an operator that relates the key and
values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: operator represents a key's
relationship to a set of values. Valid
operators are In, NotIn, Exists and
DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty.
If the operator is Exists or DoesNotExist,
the values array must be empty. This
array is replaced during a strategic
merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is
"In", and the values array contains only "value".
The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object type: object
data: data:
description: Data provides the resource declaration description: Data provides the resource declaration
@ -6261,6 +6363,55 @@ spec:
namespace: namespace:
description: Namespace specifies source resource namespace. description: Namespace specifies source resource namespace.
type: string type: string
selector:
description: Selector is a label selector. Label keys
and values in `matchLabels`. wildcard characters are
not supported.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object type: object
data: data:
description: Data provides the resource declaration used description: Data provides the resource declaration used
@ -8921,6 +9072,59 @@ spec:
description: Namespace specifies source resource description: Namespace specifies source resource
namespace. namespace.
type: string type: string
selector:
description: Selector is a label selector. Label
keys and values in `matchLabels`. wildcard characters
are not supported.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: A label selector requirement
is a selector that contains values, a key,
and an operator that relates the key and
values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: operator represents a key's
relationship to a set of values. Valid
operators are In, NotIn, Exists and
DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty.
If the operator is Exists or DoesNotExist,
the values array must be empty. This
array is replaced during a strategic
merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is
"In", and the values array contains only "value".
The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object type: object
data: data:
description: Data provides the resource declaration description: Data provides the resource declaration

3339
config/install.yaml
View file

File diff suppressed because it is too large Load diff

408
config/install_debug.yaml
View file

@ -2133,6 +2133,55 @@ spec:
namespace: namespace:
description: Namespace specifies source resource namespace. description: Namespace specifies source resource namespace.
type: string type: string
selector:
description: Selector is a label selector. Label keys
and values in `matchLabels`. wildcard characters are
not supported.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object type: object
data: data:
description: Data provides the resource declaration used description: Data provides the resource declaration used
@ -4863,6 +4912,59 @@ spec:
description: Namespace specifies source resource description: Namespace specifies source resource
namespace. namespace.
type: string type: string
selector:
description: Selector is a label selector. Label
keys and values in `matchLabels`. wildcard characters
are not supported.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: A label selector requirement
is a selector that contains values, a key,
and an operator that relates the key and
values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: operator represents a key's
relationship to a set of values. Valid
operators are In, NotIn, Exists and
DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty.
If the operator is Exists or DoesNotExist,
the values array must be empty. This
array is replaced during a strategic
merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is
"In", and the values array contains only "value".
The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object type: object
data: data:
description: Data provides the resource declaration description: Data provides the resource declaration
@ -7538,6 +7640,55 @@ spec:
namespace: namespace:
description: Namespace specifies source resource namespace. description: Namespace specifies source resource namespace.
type: string type: string
selector:
description: Selector is a label selector. Label keys
and values in `matchLabels`. wildcard characters are
not supported.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object type: object
data: data:
description: Data provides the resource declaration used description: Data provides the resource declaration used
@ -10198,6 +10349,59 @@ spec:
description: Namespace specifies source resource description: Namespace specifies source resource
namespace. namespace.
type: string type: string
selector:
description: Selector is a label selector. Label
keys and values in `matchLabels`. wildcard characters
are not supported.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: A label selector requirement
is a selector that contains values, a key,
and an operator that relates the key and
values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: operator represents a key's
relationship to a set of values. Valid
operators are In, NotIn, Exists and
DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty.
If the operator is Exists or DoesNotExist,
the values array must be empty. This
array is replaced during a strategic
merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is
"In", and the values array contains only "value".
The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object type: object
data: data:
description: Data provides the resource declaration description: Data provides the resource declaration
@ -13653,6 +13857,55 @@ spec:
namespace: namespace:
description: Namespace specifies source resource namespace. description: Namespace specifies source resource namespace.
type: string type: string
selector:
description: Selector is a label selector. Label keys
and values in `matchLabels`. wildcard characters are
not supported.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object type: object
data: data:
description: Data provides the resource declaration used description: Data provides the resource declaration used
@ -16384,6 +16637,59 @@ spec:
description: Namespace specifies source resource description: Namespace specifies source resource
namespace. namespace.
type: string type: string
selector:
description: Selector is a label selector. Label
keys and values in `matchLabels`. wildcard characters
are not supported.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: A label selector requirement
is a selector that contains values, a key,
and an operator that relates the key and
values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: operator represents a key's
relationship to a set of values. Valid
operators are In, NotIn, Exists and
DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty.
If the operator is Exists or DoesNotExist,
the values array must be empty. This
array is replaced during a strategic
merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is
"In", and the values array contains only "value".
The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object type: object
data: data:
description: Data provides the resource declaration description: Data provides the resource declaration
@ -19060,6 +19366,55 @@ spec:
namespace: namespace:
description: Namespace specifies source resource namespace. description: Namespace specifies source resource namespace.
type: string type: string
selector:
description: Selector is a label selector. Label keys
and values in `matchLabels`. wildcard characters are
not supported.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object type: object
data: data:
description: Data provides the resource declaration used description: Data provides the resource declaration used
@ -21720,6 +22075,59 @@ spec:
description: Namespace specifies source resource description: Namespace specifies source resource
namespace. namespace.
type: string type: string
selector:
description: Selector is a label selector. Label
keys and values in `matchLabels`. wildcard characters
are not supported.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: A label selector requirement
is a selector that contains values, a key,
and an operator that relates the key and
values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: operator represents a key's
relationship to a set of values. Valid
operators are In, NotIn, Exists and
DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty.
If the operator is Exists or DoesNotExist,
the values array must be empty. This
array is replaced during a strategic
merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is
"In", and the values array contains only "value".
The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object type: object
data: data:
description: Data provides the resource declaration description: Data provides the resource declaration

584
config/release/install.yaml
View file

@ -2139,6 +2139,55 @@ spec:
namespace: namespace:
description: Namespace specifies source resource namespace. description: Namespace specifies source resource namespace.
type: string type: string
selector:
description: Selector is a label selector. Label keys
and values in `matchLabels`. wildcard characters are
not supported.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object type: object
data: data:
description: Data provides the resource declaration used description: Data provides the resource declaration used
@ -3606,22 +3655,12 @@ spec:
the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/'
type: string type: string
images: images:
description: Images is a list of matching image description: Images selects matching containers
patterns. Each image is the image name consisting and applies the container level PSS. Each image
of the registry address, repository, image, is the image name consisting of the registry
and tag. address, repository, image, and tag. Empty list
items: matches no containers, PSS checks are applied
type: string at the pod level only.
type: array
restrictedField:
description: RestrictedField selects the field
for the given Pod Security Standard control.
When not set, all restricted fields for the
control are selected.
type: string
values:
description: Values defines the allowed values
that can be excluded.
items: items:
type: string type: string
type: array type: array
@ -4879,6 +4918,59 @@ spec:
description: Namespace specifies source resource description: Namespace specifies source resource
namespace. namespace.
type: string type: string
selector:
description: Selector is a label selector. Label
keys and values in `matchLabels`. wildcard characters
are not supported.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: A label selector requirement
is a selector that contains values, a key,
and an operator that relates the key and
values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: operator represents a key's
relationship to a set of values. Valid
operators are In, NotIn, Exists and
DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty.
If the operator is Exists or DoesNotExist,
the values array must be empty. This
array is replaced during a strategic
merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is
"In", and the values array contains only "value".
The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object type: object
data: data:
description: Data provides the resource declaration description: Data provides the resource declaration
@ -6404,22 +6496,12 @@ spec:
https://kubernetes.io/docs/concepts/security/pod-security-standards/' https://kubernetes.io/docs/concepts/security/pod-security-standards/'
type: string type: string
images: images:
description: Images is a list of matching description: Images selects matching containers
image patterns. Each image is the image and applies the container level PSS. Each
name consisting of the registry address, image is the image name consisting of the
repository, image, and tag. registry address, repository, image, and
items: tag. Empty list matches no containers, PSS
type: string checks are applied at the pod level only.
type: array
restrictedField:
description: RestrictedField selects the field
for the given Pod Security Standard control.
When not set, all restricted fields for
the control are selected.
type: string
values:
description: Values defines the allowed values
that can be excluded.
items: items:
type: string type: string
type: array type: array
@ -7564,6 +7646,55 @@ spec:
namespace: namespace:
description: Namespace specifies source resource namespace. description: Namespace specifies source resource namespace.
type: string type: string
selector:
description: Selector is a label selector. Label keys
and values in `matchLabels`. wildcard characters are
not supported.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object type: object
data: data:
description: Data provides the resource declaration used description: Data provides the resource declaration used
@ -9001,22 +9132,12 @@ spec:
the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/'
type: string type: string
images: images:
description: Images is a list of matching image description: Images selects matching containers
patterns. Each image is the image name consisting and applies the container level PSS. Each image
of the registry address, repository, image, is the image name consisting of the registry
and tag. address, repository, image, and tag. Empty list
items: matches no containers, PSS checks are applied
type: string at the pod level only.
type: array
restrictedField:
description: RestrictedField selects the field
for the given Pod Security Standard control.
When not set, all restricted fields for the
control are selected.
type: string
values:
description: Values defines the allowed values
that can be excluded.
items: items:
type: string type: string
type: array type: array
@ -10234,6 +10355,59 @@ spec:
description: Namespace specifies source resource description: Namespace specifies source resource
namespace. namespace.
type: string type: string
selector:
description: Selector is a label selector. Label
keys and values in `matchLabels`. wildcard characters
are not supported.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: A label selector requirement
is a selector that contains values, a key,
and an operator that relates the key and
values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: operator represents a key's
relationship to a set of values. Valid
operators are In, NotIn, Exists and
DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty.
If the operator is Exists or DoesNotExist,
the values array must be empty. This
array is replaced during a strategic
merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is
"In", and the values array contains only "value".
The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object type: object
data: data:
description: Data provides the resource declaration description: Data provides the resource declaration
@ -11759,22 +11933,12 @@ spec:
https://kubernetes.io/docs/concepts/security/pod-security-standards/' https://kubernetes.io/docs/concepts/security/pod-security-standards/'
type: string type: string
images: images:
description: Images is a list of matching description: Images selects matching containers
image patterns. Each image is the image and applies the container level PSS. Each
name consisting of the registry address, image is the image name consisting of the
repository, image, and tag. registry address, repository, image, and
items: tag. Empty list matches no containers, PSS
type: string checks are applied at the pod level only.
type: array
restrictedField:
description: RestrictedField selects the field
for the given Pod Security Standard control.
When not set, all restricted fields for
the control are selected.
type: string
values:
description: Values defines the allowed values
that can be excluded.
items: items:
type: string type: string
type: array type: array
@ -13702,6 +13866,55 @@ spec:
namespace: namespace:
description: Namespace specifies source resource namespace. description: Namespace specifies source resource namespace.
type: string type: string
selector:
description: Selector is a label selector. Label keys
and values in `matchLabels`. wildcard characters are
not supported.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object type: object
data: data:
description: Data provides the resource declaration used description: Data provides the resource declaration used
@ -15169,22 +15382,12 @@ spec:
the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/'
type: string type: string
images: images:
description: Images is a list of matching image description: Images selects matching containers
patterns. Each image is the image name consisting and applies the container level PSS. Each image
of the registry address, repository, image, is the image name consisting of the registry
and tag. address, repository, image, and tag. Empty list
items: matches no containers, PSS checks are applied
type: string at the pod level only.
type: array
restrictedField:
description: RestrictedField selects the field
for the given Pod Security Standard control.
When not set, all restricted fields for the
control are selected.
type: string
values:
description: Values defines the allowed values
that can be excluded.
items: items:
type: string type: string
type: array type: array
@ -16443,6 +16646,59 @@ spec:
description: Namespace specifies source resource description: Namespace specifies source resource
namespace. namespace.
type: string type: string
selector:
description: Selector is a label selector. Label
keys and values in `matchLabels`. wildcard characters
are not supported.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: A label selector requirement
is a selector that contains values, a key,
and an operator that relates the key and
values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: operator represents a key's
relationship to a set of values. Valid
operators are In, NotIn, Exists and
DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty.
If the operator is Exists or DoesNotExist,
the values array must be empty. This
array is replaced during a strategic
merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is
"In", and the values array contains only "value".
The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object type: object
data: data:
description: Data provides the resource declaration description: Data provides the resource declaration
@ -17968,22 +18224,12 @@ spec:
https://kubernetes.io/docs/concepts/security/pod-security-standards/' https://kubernetes.io/docs/concepts/security/pod-security-standards/'
type: string type: string
images: images:
description: Images is a list of matching description: Images selects matching containers
image patterns. Each image is the image and applies the container level PSS. Each
name consisting of the registry address, image is the image name consisting of the
repository, image, and tag. registry address, repository, image, and
items: tag. Empty list matches no containers, PSS
type: string checks are applied at the pod level only.
type: array
restrictedField:
description: RestrictedField selects the field
for the given Pod Security Standard control.
When not set, all restricted fields for
the control are selected.
type: string
values:
description: Values defines the allowed values
that can be excluded.
items: items:
type: string type: string
type: array type: array
@ -19129,6 +19375,55 @@ spec:
namespace: namespace:
description: Namespace specifies source resource namespace. description: Namespace specifies source resource namespace.
type: string type: string
selector:
description: Selector is a label selector. Label keys
and values in `matchLabels`. wildcard characters are
not supported.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object type: object
data: data:
description: Data provides the resource declaration used description: Data provides the resource declaration used
@ -20566,22 +20861,12 @@ spec:
the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/'
type: string type: string
images: images:
description: Images is a list of matching image description: Images selects matching containers
patterns. Each image is the image name consisting and applies the container level PSS. Each image
of the registry address, repository, image, is the image name consisting of the registry
and tag. address, repository, image, and tag. Empty list
items: matches no containers, PSS checks are applied
type: string at the pod level only.
type: array
restrictedField:
description: RestrictedField selects the field
for the given Pod Security Standard control.
When not set, all restricted fields for the
control are selected.
type: string
values:
description: Values defines the allowed values
that can be excluded.
items: items:
type: string type: string
type: array type: array
@ -21799,6 +22084,59 @@ spec:
description: Namespace specifies source resource description: Namespace specifies source resource
namespace. namespace.
type: string type: string
selector:
description: Selector is a label selector. Label
keys and values in `matchLabels`. wildcard characters
are not supported.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: A label selector requirement
is a selector that contains values, a key,
and an operator that relates the key and
values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: operator represents a key's
relationship to a set of values. Valid
operators are In, NotIn, Exists and
DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty.
If the operator is Exists or DoesNotExist,
the values array must be empty. This
array is replaced during a strategic
merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is
"In", and the values array contains only "value".
The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object type: object
data: data:
description: Data provides the resource declaration description: Data provides the resource declaration
@ -23324,22 +23662,12 @@ spec:
https://kubernetes.io/docs/concepts/security/pod-security-standards/' https://kubernetes.io/docs/concepts/security/pod-security-standards/'
type: string type: string
images: images:
description: Images is a list of matching description: Images selects matching containers
image patterns. Each image is the image and applies the container level PSS. Each
name consisting of the registry address, image is the image name consisting of the
repository, image, and tag. registry address, repository, image, and
items: tag. Empty list matches no containers, PSS
type: string checks are applied at the pod level only.
type: array
restrictedField:
description: RestrictedField selects the field
for the given Pod Security Standard control.
When not set, all restricted fields for
the control are selected.
type: string
values:
description: Values defines the allowed values
that can be excluded.
items: items:
type: string type: string
type: array type: array

2
pkg/background/generate/generate.go
View file

@ -678,7 +678,7 @@ func manageCloneList(log logr.Logger, namespace, policy string, clone kyvernov1.
for _, kind := range kinds { for _, kind := range kinds {
apiVersion, kind := kubeutils.GetKindFromGVK(kind) apiVersion, kind := kubeutils.GetKindFromGVK(kind)
resources, err := client.ListResource(apiVersion, kind, rNamespace, nil) resources, err := client.ListResource(apiVersion, kind, rNamespace, clone.CloneList.Selector)
if err != nil { if err != nil {
response = append(response, GenerateResponse{ response = append(response, GenerateResponse{
Data: nil, Data: nil,

8
pkg/policy/generate/validate.go
View file

@ -11,6 +11,7 @@ import (
"github.com/kyverno/kyverno/pkg/engine/variables" "github.com/kyverno/kyverno/pkg/engine/variables"
"github.com/kyverno/kyverno/pkg/policy/common" "github.com/kyverno/kyverno/pkg/policy/common"
kubeutils "github.com/kyverno/kyverno/pkg/utils/kube" kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
"github.com/kyverno/kyverno/pkg/utils/wildcard"
) )
// Generate provides implementation to validate 'generate' rule // Generate provides implementation to validate 'generate' rule
@ -55,7 +56,12 @@ func (g *Generate) Validate() (string, error) {
return "kind", fmt.Errorf("kind cannot be empty") return "kind", fmt.Errorf("kind cannot be empty")
} }
} }
// Can I generate resource
if rule.CloneList.Selector != nil {
if wildcard.ContainsWildcard(rule.CloneList.Selector.String()) {
return "selector", fmt.Errorf("wildcard characters `*/?` not supported")
}
}
if !reflect.DeepEqual(rule.Clone, kyvernov1.CloneFrom{}) { if !reflect.DeepEqual(rule.Clone, kyvernov1.CloneFrom{}) {
if path, err := g.validateClone(rule.Clone, rule.CloneList, kind); err != nil { if path, err := g.validateClone(rule.Clone, rule.CloneList, kind); err != nil {