diff --git a/README.md b/README.md index c9223a5d6c..73eb439f67 100644 --- a/README.md +++ b/README.md @@ -4,176 +4,22 @@  -Kyverno is a policy engine built for Kubernetes: -* policies as Kubernetes resources (no new language to learn!) -* validate, mutate, or generate any resource -* match resources using label selectors and wildcards -* validate and mutate using overlays (like Kustomize!) -* generate and synchronize defaults across namespaces -* block or report violations -* test using kubectl -Watch a 3 minute video review of Kyverno on Coffee and Cloud Native with Adrian Goins: +
-
ClusterPolicy …
- -Field | -Description | -||||||
---|---|---|---|---|---|---|---|
-apiVersion
-string |
-
-
-kyverno.io/v1
-
- |
-||||||
-kind
-string
- |
-ClusterPolicy |
-||||||
-metadata
-
-
-Kubernetes meta/v1.ObjectMeta
-
-
- |
-
-Refer to the Kubernetes API documentation for the fields of the
-metadata field.
- |
-||||||
-spec
-
-
-Spec
-
-
- |
-
- Spec is the information to identify the policy -- -
|
-||||||
-status
-
-
-PolicyStatus
-
-
- |
-
- Status contains statistics related to policy - |
-
-
ClusterPolicyViolation represents cluster-wide violations
- -Field | -Description | -||||||
---|---|---|---|---|---|---|---|
-apiVersion
-string |
-
-
-kyverno.io/v1
-
- |
-||||||
-kind
-string
- |
-ClusterPolicyViolation |
-||||||
-metadata
-
-
-Kubernetes meta/v1.ObjectMeta
-
-
- |
-
-Refer to the Kubernetes API documentation for the fields of the
-metadata field.
- |
-||||||
-spec
-
-
-PolicyViolationSpec
-
-
- |
-
- - -
|
-||||||
-status
-
-
-PolicyViolationStatus
-
-
- |
-- | -
-
GenerateRequest is a request to process generate rule
- -Field | -Description | -||||||
---|---|---|---|---|---|---|---|
-apiVersion
-string |
-
-
-kyverno.io/v1
-
- |
-||||||
-kind
-string
- |
-GenerateRequest |
-||||||
-metadata
-
-
-Kubernetes meta/v1.ObjectMeta
-
-
- |
-
-Refer to the Kubernetes API documentation for the fields of the
-metadata field.
- |
-||||||
-spec
-
-
-GenerateRequestSpec
-
-
- |
-
- Spec is the information to identify the generate request -- -
|
-||||||
-status
-
-
-GenerateRequestStatus
-
-
- |
-
- Status contains statistics related to generate request - |
-
-
PolicyViolation represents namespaced violations
- -Field | -Description | -||||||
---|---|---|---|---|---|---|---|
-apiVersion
-string |
-
-
-kyverno.io/v1
-
- |
-||||||
-kind
-string
- |
-PolicyViolation |
-||||||
-metadata
-
-
-Kubernetes meta/v1.ObjectMeta
-
-
- |
-
-Refer to the Kubernetes API documentation for the fields of the
-metadata field.
- |
-||||||
-spec
-
-
-PolicyViolationSpec
-
-
- |
-
- - -
|
-||||||
-status
-
-
-PolicyViolationStatus
-
-
- |
-- | -
-(Appears on: -Generation) -
--
CloneFrom - location of the resource -which will be used as source when applying ‘generate’
- -Field | -Description | -
---|---|
-namespace
-
-string
-
- |
-
- Specifies resource namespace - |
-
-name
-
-string
-
- |
-
- Specifies name of the resource - |
-
-
Condition defines the evaluation condition
- -Field | -Description | -
---|---|
-key
-
-interface{}
-
- |
-
- Key contains key to compare - |
-
-operator
-
-
-ConditionOperator
-
-
- |
-
- Operator to compare against value - |
-
-value
-
-interface{}
-
- |
-
- Value to be compared - |
-
string
alias)-(Appears on: -Condition) -
--
ConditionOperator defines the type for condition operator
- --(Appears on: -Validation) -
--
-Field | -Description | -
---|---|
-conditions
-
-
-[]Condition
-
-
- |
-
- Specifies set of condition to deny validation - |
-
-(Appears on: -Rule) -
--
ExcludeResources container resource description of the resources that are to be excluded from the applying the policy rule
- -Field | -Description | -
---|---|
-UserInfo
-
-
-UserInfo
-
-
- |
-
- Specifies user information - |
-
-resources
-
-
-ResourceDescription
-
-
- |
-
- Specifies resources to which rule is excluded - |
-
-(Appears on: -GenerateRequestSpec) -
--
GenerateRequestContext stores the context to be shared
- -Field | -Description | -
---|---|
-userInfo
-
-
-RequestInfo
-
-
- |
-
- UserRequestInfo … - |
-
-(Appears on: -GenerateRequest) -
--
GenerateRequestSpec stores the request specification
- -Field | -Description | -
---|---|
-policy
-
-string
-
- |
-
- Specifies the name of the policy - |
-
-resource
-
-
-ResourceSpec
-
-
- |
-
- ResourceSpec is the information to identify the generate request - |
-
-context
-
-
-GenerateRequestContext
-
-
- |
-
- Context … - |
-
string
alias)-(Appears on: -GenerateRequestStatus) -
--
GenerateRequestState defines the state of
- --(Appears on: -GenerateRequest) -
--
GenerateRequestStatus stores the status of generated request
- -Field | -Description | -
---|---|
-state
-
-
-GenerateRequestState
-
-
- |
-
- State represents state of the generate request - |
-
-message
-
-string
-
- |
-
-(Optional)
- Specifies request status message - |
-
-generatedResources
-
-
-[]ResourceSpec
-
-
- |
-
- This will track the resources that are generated by the generate Policy -Will be used during clean up resources - |
-
-(Appears on: -Rule) -
--
Generation describes which resources will be created when other resource is created
- -Field | -Description | -
---|---|
-ResourceSpec
-
-
-ResourceSpec
-
-
- |
-- | -
-synchronize
-
-bool
-
- |
-
- To keep resources synchronized with source resource - |
-
-data
-
-interface{}
-
- |
-
- Data … - |
-
-clone
-
-
-CloneFrom
-
-
- |
-
- To clone resource from other resource - |
-
-(Appears on: -Rule) -
--
MatchResources contains resource description of the resources that the rule is to apply on
- -Field | -Description | -
---|---|
-UserInfo
-
-
-UserInfo
-
-
- |
-
- Specifies user information - |
-
-resources
-
-
-ResourceDescription
-
-
- |
-
- Specifies resources to which rule is applied - |
-
-(Appears on: -Rule) -
--
Mutation describes the way how Mutating Webhook will react on resource creation
- -Field | -Description | -
---|---|
-overlay
-
-interface{}
-
- |
-
- Specifies overlay patterns - |
-
-patches
-
-
-[]Patch
-
-
- |
-
- Specifies JSON Patch - |
-
-(Appears on: -Mutation) -
--
Patch declares patch operation for created object according to RFC 6902
- -Field | -Description | -
---|---|
-path
-
-string
-
- |
-
- Specifies path of the resource - |
-
-op
-
-string
-
- |
-
- Specifies operations supported by JSON Patch. -i.e:- add, replace and delete - |
-
-value
-
-interface{}
-
- |
-
- Specifies the value to be applied - |
-
-
Policy contains rules to be applied to created resources
- -Field | -Description | -||||||
---|---|---|---|---|---|---|---|
-metadata
-
-
-Kubernetes meta/v1.ObjectMeta
-
-
- |
-
-Refer to the Kubernetes API documentation for the fields of the
-metadata field.
- |
-||||||
-spec
-
-
-Spec
-
-
- |
-
- Spec is the information to identify the policy -- -
|
-||||||
-status
-
-
-PolicyStatus
-
-
- |
-
- Status contains statistics related to policy - |
-
-(Appears on: -ClusterPolicy, -Policy) -
--
PolicyStatus mostly contains statistics related to policy
- -Field | -Description | -
---|---|
-averageExecutionTime
-
-string
-
- |
-
- average time required to process the policy rules on a resource - |
-
-violationCount
-
-int
-
- |
-
- number of violations created by this policy - |
-
-rulesFailedCount
-
-int
-
- |
-
- Count of rules that failed - |
-
-rulesAppliedCount
-
-int
-
- |
-
- Count of rules that were applied - |
-
-resourcesBlockedCount
-
-int
-
- |
-
- Count of resources that were blocked for failing a validate, across all rules - |
-
-resourcesMutatedCount
-
-int
-
- |
-
- Count of resources that were successfully mutated, across all rules - |
-
-resourcesGeneratedCount
-
-int
-
- |
-
- Count of resources that were successfully generated, across all rules - |
-
-ruleStatus
-
-
-[]RuleStats
-
-
- |
-- | -
-(Appears on: -ClusterPolicyViolation, -PolicyViolation, -PolicyViolationTemplate) -
--
PolicyViolationSpec describes policy behavior by its rules
- -Field | -Description | -
---|---|
-policy
-
-string
-
- |
-
- Specifies name of the policy - |
-
-resource
-
-
-ResourceSpec
-
-
- |
-- | -
-rules
-
-
-[]ViolatedRule
-
-
- |
-
- Specifies list of violated rule - |
-
-(Appears on: -ClusterPolicyViolation, -PolicyViolation, -PolicyViolationTemplate) -
--
PolicyViolationStatus provides information regarding policyviolation status -status: -LastUpdateTime : the time the policy violation was updated
- -Field | -Description | -
---|---|
-lastUpdateTime
-
-
-Kubernetes meta/v1.Time
-
-
- |
-
- LastUpdateTime : the time the policy violation was updated - |
-
-
PolicyViolationTemplate stores the information regarinding the resources for which a policy failed to apply
- -Field | -Description | -||||||
---|---|---|---|---|---|---|---|
-metadata
-
-
-Kubernetes meta/v1.ObjectMeta
-
-
- |
-
-Refer to the Kubernetes API documentation for the fields of the
-metadata field.
- |
-||||||
-spec
-
-
-PolicyViolationSpec
-
-
- |
-
- - -
|
-||||||
-status
-
-
-PolicyViolationStatus
-
-
- |
-- | -
-(Appears on: -GenerateRequestContext) -
--
RequestInfo contains permission info carried in an admission request
- -Field | -Description | -
---|---|
-roles
-
-[]string
-
- |
-
- Roles is a list of possible role send the request - |
-
-clusterRoles
-
-[]string
-
- |
-
- ClusterRoles is a list of possible clusterRoles send the request - |
-
-userInfo
-
-
-Kubernetes authentication/v1.UserInfo
-
-
- |
-
- UserInfo is the userInfo carried in the admission request - |
-
-(Appears on: -ExcludeResources, -MatchResources) -
--
ResourceDescription describes the resource to which the PolicyRule will be applied.
- -Field | -Description | -
---|---|
-kinds
-
-[]string
-
- |
-
- Specifies list of resource kind - |
-
-name
-
-string
-
- |
-
- Specifies name of the resource - |
-
-namespaces
-
-[]string
-
- |
-
- Specifies list of namespaces - |
-
-selector
-
-
-Kubernetes meta/v1.LabelSelector
-
-
- |
-
- Specifies the set of selectors - |
-
-(Appears on: -GenerateRequestSpec, -GenerateRequestStatus, -Generation, -PolicyViolationSpec) -
--
ResourceSpec information to identify the resource
- -Field | -Description | -
---|---|
-kind
-
-string
-
- |
-
-(Optional)
- Specifies resource kind - |
-
-namespace
-
-string
-
- |
-
-(Optional)
- Specifies resource namespace - |
-
-name
-
-string
-
- |
-
- Specifies resource name - |
-
-(Appears on: -Spec) -
--
Rule is set of mutation, validation and generation actions -for the single resource description
- -Field | -Description | -
---|---|
-name
-
-string
-
- |
-
- Specifies rule name - |
-
-match
-
-
-MatchResources
-
-
- |
-
-(Optional)
- Specifies resources for which the rule has to be applied. -If it’s defined, “kind” inside MatchResources block is required. - |
-
-exclude
-
-
-ExcludeResources
-
-
- |
-
-(Optional)
- Specifies resources for which rule can be excluded - |
-
-preconditions
-
-
-[]Condition
-
-
- |
-
-(Optional)
- Allows controlling policy rule execution - |
-
-mutate
-
-
-Mutation
-
-
- |
-
-(Optional)
- Specifies patterns to mutate resources - |
-
-validate
-
-
-Validation
-
-
- |
-
-(Optional)
- Specifies patterns to validate resources - |
-
-generate
-
-
-Generation
-
-
- |
-
-(Optional)
- Specifies patterns to create additional resources - |
-
-(Appears on: -PolicyStatus) -
--
RuleStats provides status per rule
- -Field | -Description | -
---|---|
-ruleName
-
-string
-
- |
-
- Rule name - |
-
-averageExecutionTime
-
-string
-
- |
-
- average time require to process the rule - |
-
-violationCount
-
-int
-
- |
-
- number of violations created by this rule - |
-
-failedCount
-
-int
-
- |
-
- Count of rules that failed - |
-
-appliedCount
-
-int
-
- |
-
- Count of rules that were applied - |
-
-resourcesBlockedCount
-
-int
-
- |
-
- Count of resources for whom update/create api requests were blocked as the resource did not satisfy the policy rules - |
-
-resourcesMutatedCount
-
-int
-
- |
-
- Count of resources that were successfully mutated - |
-
-resourcesGeneratedCount
-
-int
-
- |
-
- Count of resources that were successfully generated - |
-
-(Appears on: -ClusterPolicy, -Policy) -
--
Spec describes policy behavior by its rules
- -Field | -Description | -
---|---|
-rules
-
-
-[]Rule
-
-
- |
-
- Rules contains the list of rules to be applied to resources - |
-
-validationFailureAction
-
-string
-
- |
-
- ValidationFailureAction provides choice to enforce rules to resources during policy violations. -Default value is “audit”. - |
-
-background
-
-bool
-
- |
-
- Background provides choice for applying rules to existing resources. -Default value is “true”. - |
-
-(Appears on: -ExcludeResources, -MatchResources) -
--
UserInfo filter based on users
- -Field | -Description | -
---|---|
-roles
-
-[]string
-
- |
-
- Specifies list of namespaced role names - |
-
-clusterRoles
-
-[]string
-
- |
-
- Specifies list of cluster wide role names - |
-
-subjects
-
-
-[]Kubernetes rbac/v1.Subject
-
-
- |
-
- Specifies list of subject names like users, user groups, and service accounts - |
-
-(Appears on: -Rule) -
--
Validation describes the way how Validating Webhook will check the resource on creation
- -Field | -Description | -
---|---|
-message
-
-string
-
- |
-
- Specifies message to be displayed on validation policy violation - |
-
-pattern
-
-interface{}
-
- |
-
- Specifies validation pattern - |
-
-anyPattern
-
-[]interface{}
-
- |
-
- Specifies list of validation patterns - |
-
-deny
-
-
-Deny
-
-
- |
-
- Specifies conditions to deny validation - |
-
-(Appears on: -PolicyViolationSpec) -
--
ViolatedRule stores the information regarding the rule
- -Field | -Description | -
---|---|
-name
-
-string
-
- |
-
- Specifies violated rule name - |
-
-type
-
-string
-
- |
-
- Specifies violated rule type - |
-
-message
-
-string
-
- |
-
- Specifies violation message - |
-