diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md index e1e3a39900..e8e8969489 100644 --- a/charts/kyverno/README.md +++ b/charts/kyverno/README.md @@ -68,6 +68,7 @@ The following table lists the configurable parameters of the kyverno chart and t | `createSelfSignedCert` | generate a self signed cert and certificate authority. Kyverno defaults to using kube-controller-manager CA-signed certificate or existing cert secret if false. | `false` | | `config.existingConfig` | existing Kubernetes configmap to use for the resource filters configuration | `nil` | | `config.resourceFilters` | list of filter of resource types to be skipped by kyverno policy engine. See [documentation](https://github.com/kyverno/kyverno/blob/master/documentation/installation.md#filter-kubernetes-resources-that-admission-webhook-should-not-process) for details | `["[Event,*,*]","[*,kube-system,*]","[*,kube-public,*]","[*,kube-node-lease,*]","[Node,*,*]","[APIService,*,*]","[TokenReview,*,*]","[SubjectAccessReview,*,*]","[*,kyverno,*]"]` | +| customLabels | object | `{}` | Additional labels | | `dnsPolicy` | Sets the DNS Policy which determines the manner in which DNS resolution happens across the cluster. For further reference, see [the official docs](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy) | `ClusterFirst` | | envVars | Extra environment variables to pass to kyverno | {} | | `extraArgs` | list of extra arguments to give the binary | `[]` | diff --git a/charts/kyverno/templates/_helpers.tpl b/charts/kyverno/templates/_helpers.tpl index 9deb537961..05934cdb3f 100644 --- a/charts/kyverno/templates/_helpers.tpl +++ b/charts/kyverno/templates/_helpers.tpl @@ -30,10 +30,16 @@ If release name contains chart name it will be used as a full name. {{/* Helm required labels */}} {{- define "kyverno.labels" -}} -app.kubernetes.io/name: {{ template "kyverno.name" . }} -helm.sh/chart: {{ template "kyverno.chart" . }} +app.kubernetes.io/component: kyverno app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} +app.kubernetes.io/name: {{ template "kyverno.name" . }} +app.kubernetes.io/part-of: {{ template "kyverno.name" . }} +app.kubernetes.io/version: "{{ .Chart.Version }}" +helm.sh/chart: {{ template "kyverno.chart" . }} +{{- if .Values.customLabels }} +{{ toYaml .Values.customLabels | indent 4 }} +{{- end }} {{- end -}} {{/* matchLabels */}} diff --git a/charts/kyverno/templates/clusterrole.yaml b/charts/kyverno/templates/clusterrole.yaml index 3cec33ff0f..75b2464ece 100644 --- a/charts/kyverno/templates/clusterrole.yaml +++ b/charts/kyverno/templates/clusterrole.yaml @@ -3,6 +3,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: {{ template "kyverno.fullname" . }}:webhook + labels: {{ include "kyverno.labels" . | nindent 4 }} + app: kyverno rules: # Dynamic creation of webhooks, events & certs - apiGroups: @@ -48,6 +50,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: {{ template "kyverno.fullname" . }}:userinfo + labels: {{ include "kyverno.labels" . | nindent 4 }} + app: kyverno rules: # get the roleRef for incoming api-request user - apiGroups: @@ -67,6 +71,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: {{ template "kyverno.fullname" . }}:customresources + labels: {{ include "kyverno.labels" . | nindent 4 }} + app: kyverno rules: # Kyverno CRs - apiGroups: @@ -105,6 +111,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: {{ template "kyverno.fullname" . }}:policycontroller + labels: {{ include "kyverno.labels" . | nindent 4 }} + app: kyverno rules: # background processing, identify all existing resources - apiGroups: @@ -121,6 +129,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: {{ template "kyverno.fullname" . }}:generatecontroller + labels: {{ include "kyverno.labels" . | nindent 4 }} + app: kyverno rules: # process generate rules to generate resources - apiGroups: @@ -154,9 +164,10 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - labels: - rbac.authorization.k8s.io/aggregate-to-admin: "true" name: {{ template "kyverno.fullname" . }}:admin-policies + labels: {{ include "kyverno.labels" . | nindent 4 }} + rbac.authorization.k8s.io/aggregate-to-admin: "true" + app: kyverno rules: - apiGroups: - kyverno.io @@ -169,8 +180,9 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - labels: + labels: {{ include "kyverno.labels" . | nindent 4 }} rbac.authorization.k8s.io/aggregate-to-admin: "true" + app: kyverno name: {{ template "kyverno.fullname" . }}:admin-policyreport rules: - apiGroups: @@ -184,8 +196,9 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - labels: + labels: {{ include "kyverno.labels" . | nindent 4 }} rbac.authorization.k8s.io/aggregate-to-admin: "true" + app: kyverno name: {{ template "kyverno.fullname" . }}:admin-reportchangerequest rules: - apiGroups: @@ -194,4 +207,4 @@ rules: - reportchangerequests - clusterreportchangerequests verbs: - - "*" + - "*" \ No newline at end of file diff --git a/charts/kyverno/templates/clusterrolebinding.yaml b/charts/kyverno/templates/clusterrolebinding.yaml index 3ae1dcc6c4..41639e0159 100644 --- a/charts/kyverno/templates/clusterrolebinding.yaml +++ b/charts/kyverno/templates/clusterrolebinding.yaml @@ -3,6 +3,8 @@ kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ template "kyverno.fullname" . }}:webhook + labels: {{ include "kyverno.labels" . | nindent 4 }} + app: kyverno roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -16,6 +18,8 @@ kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ template "kyverno.fullname" . }}:userinfo + labels: {{ include "kyverno.labels" . | nindent 4 }} + app: kyverno roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -29,6 +33,8 @@ kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ template "kyverno.fullname" . }}:customresources + labels: {{ include "kyverno.labels" . | nindent 4 }} + app: kyverno roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -42,6 +48,8 @@ kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ template "kyverno.fullname" . }}:policycontroller + labels: {{ include "kyverno.labels" . | nindent 4 }} + app: kyverno roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -55,6 +63,8 @@ kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ template "kyverno.fullname" . }}:generatecontroller + labels: {{ include "kyverno.labels" . | nindent 4 }} + app: kyverno roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/charts/kyverno/templates/configmap.yaml b/charts/kyverno/templates/configmap.yaml index 92db811de0..b71ee31ccd 100644 --- a/charts/kyverno/templates/configmap.yaml +++ b/charts/kyverno/templates/configmap.yaml @@ -3,6 +3,7 @@ apiVersion: v1 kind: ConfigMap metadata: labels: {{ include "kyverno.labels" . | nindent 4 }} + app: kyverno name: {{ template "kyverno.configMapName" . }} namespace: {{ template "kyverno.namespace" . }} data: diff --git a/charts/kyverno/templates/deployment.yaml b/charts/kyverno/templates/deployment.yaml index 774f50b969..e0e4010586 100644 --- a/charts/kyverno/templates/deployment.yaml +++ b/charts/kyverno/templates/deployment.yaml @@ -3,14 +3,17 @@ kind: Deployment metadata: name: {{ template "kyverno.fullname" . }} labels: {{ include "kyverno.labels" . | nindent 4 }} + app: kyverno namespace: {{ template "kyverno.namespace" . }} spec: selector: matchLabels: {{ include "kyverno.matchLabels" . | nindent 6 }} + app: kyverno replicas: {{ .Values.replicaCount }} template: metadata: labels: {{ include "kyverno.labels" . | nindent 8 }} + app: kyverno {{- range $key, $value := .Values.podLabels }} {{ $key }}: {{ $value }} {{- end }} diff --git a/charts/kyverno/templates/policies/default/disallow-adding-capabilities.yaml b/charts/kyverno/templates/policies/default/disallow-adding-capabilities.yaml index 680a28f9cb..f6cfa21903 100644 --- a/charts/kyverno/templates/policies/default/disallow-adding-capabilities.yaml +++ b/charts/kyverno/templates/policies/default/disallow-adding-capabilities.yaml @@ -12,6 +12,8 @@ metadata: policies.kyverno.io/description: >- Capabilities permit privileged actions without giving full root access. Adding capabilities beyond the default set must not be allowed. + labels: {{ include "kyverno.labels" . | nindent 4 }} + app: kyverno spec: validationFailureAction: {{ .Values.validationFailureAction }} background: true diff --git a/charts/kyverno/templates/policies/default/disallow-host-namespaces.yaml b/charts/kyverno/templates/policies/default/disallow-host-namespaces.yaml index 59301ddf87..6a1a87a9c8 100644 --- a/charts/kyverno/templates/policies/default/disallow-host-namespaces.yaml +++ b/charts/kyverno/templates/policies/default/disallow-host-namespaces.yaml @@ -13,6 +13,8 @@ metadata: Host namespaces (Process ID namespace, Inter-Process Communication namespace, and network namespace) allow access to shared information and can be used to elevate privileges. Pods should not be allowed access to host namespaces. + labels: {{ include "kyverno.labels" . | nindent 4 }} + app: kyverno spec: validationFailureAction: {{ .Values.validationFailureAction }} background: true diff --git a/charts/kyverno/templates/policies/default/disallow-host-path.yaml b/charts/kyverno/templates/policies/default/disallow-host-path.yaml index ed1418f5b3..f50fd797b9 100644 --- a/charts/kyverno/templates/policies/default/disallow-host-path.yaml +++ b/charts/kyverno/templates/policies/default/disallow-host-path.yaml @@ -13,6 +13,8 @@ metadata: HostPath volumes let pods use host directories and volumes in containers. Using host resources can be used to access shared data or escalate privileges and should not be allowed. + labels: {{ include "kyverno.labels" . | nindent 4 }} + app: kyverno spec: validationFailureAction: {{ .Values.validationFailureAction }} background: true diff --git a/charts/kyverno/templates/policies/default/disallow-host-ports.yaml b/charts/kyverno/templates/policies/default/disallow-host-ports.yaml index c167ba569a..9217814b50 100644 --- a/charts/kyverno/templates/policies/default/disallow-host-ports.yaml +++ b/charts/kyverno/templates/policies/default/disallow-host-ports.yaml @@ -12,6 +12,8 @@ metadata: policies.kyverno.io/description: >- Access to host ports allows potential snooping of network traffic and should not be allowed, or at minimum restricted to a known list. + labels: {{ include "kyverno.labels" . | nindent 4 }} + app: kyverno spec: validationFailureAction: {{ .Values.validationFailureAction }} background: true diff --git a/charts/kyverno/templates/policies/default/disallow-privileged-containers.yaml b/charts/kyverno/templates/policies/default/disallow-privileged-containers.yaml index 1dfcc8cdcb..36c358f191 100644 --- a/charts/kyverno/templates/policies/default/disallow-privileged-containers.yaml +++ b/charts/kyverno/templates/policies/default/disallow-privileged-containers.yaml @@ -11,6 +11,8 @@ metadata: {{- end }} policies.kyverno.io/description: >- Privileged mode disables most security mechanisms and must not be allowed. + labels: {{ include "kyverno.labels" . | nindent 4 }} + app: kyverno spec: validationFailureAction: {{ .Values.validationFailureAction }} background: true diff --git a/charts/kyverno/templates/policies/default/disallow-proc-mount.yaml b/charts/kyverno/templates/policies/default/disallow-proc-mount.yaml index 9ab8447bff..2309d29a52 100644 --- a/charts/kyverno/templates/policies/default/disallow-proc-mount.yaml +++ b/charts/kyverno/templates/policies/default/disallow-proc-mount.yaml @@ -11,6 +11,8 @@ metadata: {{- end }} policies.kyverno.io/description: >- The default /proc masks are set up to reduce attack surface and should be required. + labels: {{ include "kyverno.labels" . | nindent 4 }} + app: kyverno spec: validationFailureAction: {{ .Values.validationFailureAction }} background: true diff --git a/charts/kyverno/templates/policies/default/disallow-selinux.yaml b/charts/kyverno/templates/policies/default/disallow-selinux.yaml index 3ab24dde86..bad44366f8 100644 --- a/charts/kyverno/templates/policies/default/disallow-selinux.yaml +++ b/charts/kyverno/templates/policies/default/disallow-selinux.yaml @@ -12,6 +12,8 @@ metadata: {{- end }} policies.kyverno.io/description: >- SELinux options can be used to escalate privileges and should not be allowed. + labels: {{ include "kyverno.labels" . | nindent 4 }} + app: kyverno spec: validationFailureAction: {{ .Values.validationFailureAction }} background: true diff --git a/charts/kyverno/templates/policies/default/restrict-apparmor-profiles.yaml b/charts/kyverno/templates/policies/default/restrict-apparmor-profiles.yaml index 9449c3e1f2..2f3b5c7ed7 100644 --- a/charts/kyverno/templates/policies/default/restrict-apparmor-profiles.yaml +++ b/charts/kyverno/templates/policies/default/restrict-apparmor-profiles.yaml @@ -14,6 +14,8 @@ metadata: On supported hosts, the 'runtime/default' AppArmor profile is applied by default. The default policy should prevent overriding or disabling the policy, or restrict overrides to an allowed set of profiles. + labels: {{ include "kyverno.labels" . | nindent 4 }} + app: kyverno spec: validationFailureAction: {{ .Values.validationFailureAction }} background: true diff --git a/charts/kyverno/templates/policies/default/restrict-sysctls.yaml b/charts/kyverno/templates/policies/default/restrict-sysctls.yaml index e9aae27615..0d4af8652e 100644 --- a/charts/kyverno/templates/policies/default/restrict-sysctls.yaml +++ b/charts/kyverno/templates/policies/default/restrict-sysctls.yaml @@ -14,6 +14,8 @@ metadata: host, and should be disallowed except for an allowed "safe" subset. A sysctl is considered safe if it is namespaced in the container or the Pod, and it is isolated from other Pods or processes on the same Node. + labels: {{ include "kyverno.labels" . | nindent 4 }} + app: kyverno spec: validationFailureAction: {{ .Values.validationFailureAction }} background: true diff --git a/charts/kyverno/templates/policies/restricted/deny-privilege-escalation.yaml b/charts/kyverno/templates/policies/restricted/deny-privilege-escalation.yaml index b2850b3f78..487f456a30 100644 --- a/charts/kyverno/templates/policies/restricted/deny-privilege-escalation.yaml +++ b/charts/kyverno/templates/policies/restricted/deny-privilege-escalation.yaml @@ -11,6 +11,8 @@ metadata: {{- end }} policies.kyverno.io/description: >- Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed. + labels: {{ include "kyverno.labels" . | nindent 4 }} + app: kyverno spec: background: true validationFailureAction: {{ .Values.validationFailureAction }} diff --git a/charts/kyverno/templates/policies/restricted/require-non-root-groups.yaml b/charts/kyverno/templates/policies/restricted/require-non-root-groups.yaml index 843a49370b..fa5d146035 100644 --- a/charts/kyverno/templates/policies/restricted/require-non-root-groups.yaml +++ b/charts/kyverno/templates/policies/restricted/require-non-root-groups.yaml @@ -11,6 +11,8 @@ metadata: {{- end }} policies.kyverno.io/description: >- Containers should be forbidden from running with a root primary or supplementary GID. + labels: {{ include "kyverno.labels" . | nindent 4 }} + app: kyverno spec: background: true validationFailureAction: {{ .Values.validationFailureAction }} diff --git a/charts/kyverno/templates/policies/restricted/require-run-as-nonroot.yaml b/charts/kyverno/templates/policies/restricted/require-run-as-nonroot.yaml index 70e7dcb832..b4ac13c9fd 100644 --- a/charts/kyverno/templates/policies/restricted/require-run-as-nonroot.yaml +++ b/charts/kyverno/templates/policies/restricted/require-run-as-nonroot.yaml @@ -10,6 +10,8 @@ metadata: policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }} {{- end }} policies.kyverno.io/description: Containers must be required to run as non-root users. + labels: {{ include "kyverno.labels" . | nindent 4 }} + app: kyverno spec: background: true validationFailureAction: {{ .Values.validationFailureAction }} diff --git a/charts/kyverno/templates/policies/restricted/restrict-seccomp.yaml b/charts/kyverno/templates/policies/restricted/restrict-seccomp.yaml index 1bc7ae63af..ba0a034cfa 100644 --- a/charts/kyverno/templates/policies/restricted/restrict-seccomp.yaml +++ b/charts/kyverno/templates/policies/restricted/restrict-seccomp.yaml @@ -13,6 +13,8 @@ metadata: policies.kyverno.io/description: >- The runtime default seccomp profile must be required, or only specific additional profiles should be allowed. + labels: {{ include "kyverno.labels" . | nindent 4 }} + app: kyverno spec: background: true validationFailureAction: {{ .Values.validationFailureAction }} diff --git a/charts/kyverno/templates/policies/restricted/restrict-volume-types.yaml b/charts/kyverno/templates/policies/restricted/restrict-volume-types.yaml index bdd6b3529d..37ba6db19a 100644 --- a/charts/kyverno/templates/policies/restricted/restrict-volume-types.yaml +++ b/charts/kyverno/templates/policies/restricted/restrict-volume-types.yaml @@ -12,6 +12,8 @@ metadata: policies.kyverno.io/description: >- In addition to restricting HostPath volumes, the restricted pod security profile limits usage of non-core volume types to those defined through PersistentVolumes. + labels: {{ include "kyverno.labels" . | nindent 4 }} + app: kyverno spec: background: true validationFailureAction: {{ .Values.validationFailureAction }} diff --git a/charts/kyverno/templates/secret.yaml b/charts/kyverno/templates/secret.yaml index 7648f2f185..a4ed677f83 100644 --- a/charts/kyverno/templates/secret.yaml +++ b/charts/kyverno/templates/secret.yaml @@ -6,6 +6,7 @@ kind: Secret metadata: name: {{ template "kyverno.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-ca labels: {{ include "kyverno.labels" . | nindent 4 }} + app: kyverno data: rootCA.crt: {{ $ca.Cert | b64enc }} --- @@ -14,6 +15,7 @@ kind: Secret metadata: name: {{ template "kyverno.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-pair labels: {{ include "kyverno.labels" . | nindent 4 }} + app: kyverno annotations: self-signed-cert: "true" type: kubernetes.io/tls diff --git a/charts/kyverno/templates/service.yaml b/charts/kyverno/templates/service.yaml index 152636697d..caec996323 100644 --- a/charts/kyverno/templates/service.yaml +++ b/charts/kyverno/templates/service.yaml @@ -3,6 +3,7 @@ kind: Service metadata: name: {{ template "kyverno.serviceName" . }} labels: {{ include "kyverno.labels" . | nindent 4 }} + app: kyverno namespace: {{ template "kyverno.namespace" . }} {{- with .Values.service.annotations }} annotations: {{ tpl (toYaml .) $ | nindent 4 }} @@ -24,4 +25,5 @@ spec: nodePort: {{ .Values.service.metricsNodePort }} {{- end }} selector: {{ include "kyverno.matchLabels" . | nindent 4 }} + app: kyverno type: {{ .Values.service.type }} diff --git a/charts/kyverno/templates/serviceaccount.yaml b/charts/kyverno/templates/serviceaccount.yaml index 996d93ef4f..521ff85d92 100644 --- a/charts/kyverno/templates/serviceaccount.yaml +++ b/charts/kyverno/templates/serviceaccount.yaml @@ -4,6 +4,7 @@ kind: ServiceAccount metadata: name: {{ template "kyverno.serviceAccountName" . }} labels: {{ include "kyverno.labels" . | nindent 4 }} + app: kyverno {{- if .Values.rbac.serviceAccount.annotations }} annotations: {{ toYaml .Values.rbac.serviceAccount.annotations | nindent 4 }} {{- end }} diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml index aba657a2d7..32c96d4bd2 100644 --- a/charts/kyverno/values.yaml +++ b/charts/kyverno/values.yaml @@ -12,6 +12,9 @@ podSecurityPolicies: [] # For more info- https://kyverno.io/docs/writing-policies/validate/ validationFailureAction: audit +# -- Additional labels +customLabels: {} + rbac: create: true serviceAccount: diff --git a/definitions/install.yaml b/definitions/install.yaml index c1fbe64d02..94522460af 100644 --- a/definitions/install.yaml +++ b/definitions/install.yaml @@ -1,6 +1,14 @@ apiVersion: v1 kind: Namespace metadata: + labels: + app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.3.6-rc1 name: kyverno --- apiVersion: apiextensions.k8s.io/v1 @@ -9,6 +17,13 @@ metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.0 creationTimestamp: null + labels: + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.3.6-rc1 name: clusterpolicies.kyverno.io spec: group: kyverno.io @@ -31,13 +46,18 @@ spec: name: v1 schema: openAPIV3Schema: - description: ClusterPolicy declares validation, mutation, and generation behaviors for matching resources. + description: ClusterPolicy declares validation, mutation, and generation behaviors + for matching resources. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -45,26 +65,49 @@ spec: description: Spec declares policy behaviors. properties: background: - description: Background controls if rules are applied to existing resources during a background scan. Optional. Default value is "true". The value must be set to "false" if the policy rule uses variables that are only available in the admission review request (e.g. user name). + description: Background controls if rules are applied to existing + resources during a background scan. Optional. Default value is "true". + The value must be set to "false" if the policy rule uses variables + that are only available in the admission review request (e.g. user + name). type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains multiple rules and each rule can validate, mutate, or generate resources. + description: Rules is a list of Rule instances. A Policy contains + multiple rules and each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation control for matching resources. Each rules contains a match declaration to select resources, and an optional exclude declaration to specify which resources to exclude. + description: Rule defines a validation, mutation, or generation + control for matching resources. Each rules contains a match declaration + to select resources, and an optional exclude declaration to specify + which resources to exclude. properties: context: - description: Context defines variables and data sources that can be used during rule execution. + description: Context defines variables and data sources that + can be used during rule execution. items: - description: ContextEntry adds variables and data sources to a rule Context. Either a ConfigMap reference or a APILookup must be provided. + description: ContextEntry adds variables and data sources + to a rule Context. Either a ConfigMap reference or a APILookup + must be provided. properties: apiCall: - description: APICall defines an HTTP request to the Kubernetes API server. The JSON data retrieved is stored in the context. + description: APICall defines an HTTP request to the Kubernetes + API server. The JSON data retrieved is stored in the + context. properties: jmesPath: - description: JMESPath is an optional JSON Match Expression that can be used to transform the JSON response returned from the API server. For example a JMESPath of "items | length(@)" applied to the API server response to the URLPath "/apis/apps/v1/deployments" will return the total count of deployments across all namespaces. + description: JMESPath is an optional JSON Match Expression + that can be used to transform the JSON response + returned from the API server. For example a JMESPath + of "items | length(@)" applied to the API server + response to the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments across + all namespaces. type: string urlPath: - description: URLPath is the URL path to be used in the HTTP GET request to the Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used by the `kubectl get --raw` command. + description: URLPath is the URL path to be used in + the HTTP GET request to the Kubernetes API server + (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the + `kubectl get --raw` command. type: string required: - urlPath @@ -87,20 +130,29 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role. + description: ExcludeResources defines when this policy rule + should not be applied. The exclude criteria can include resource + information (e.g. kind, name, namespace, labels) and admission + review request information like the name or role. properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide role names for the user. + description: ClusterRoles is the list of cluster-wide role + names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about the resource being created or modified. + description: ResourceDescription contains information about + the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + description: Annotations is a map of annotations (key-value + pairs of type string). Annotation keys and values + support the wildcard characters "*" (matches zero + or many characters) and "?" (matches at least one + character). type: object kinds: description: Kinds is a list of resource kinds. @@ -108,24 +160,44 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Name is the name of the resource. The name + supports wildcard characters "*" (matches zero or + many characters) and "?" (at least one character). type: string namespaceSelector: - description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` + (matches zero or many characters) and `?` (matches + one character).Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. items: type: string type: array @@ -137,30 +209,54 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. type: object type: object namespaces: - description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces names. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'Selector is a label selector. Label keys + and values in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` (matches + one character). Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. items: type: string type: array @@ -172,31 +268,51 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names for the user. + description: Roles is the list of namespaced role names + for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like users, user groups, and service accounts. + description: Subjects is the list of subject names like + users, user groups, and service accounts. items: - description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + description: Subject contains a reference to the object + or user identities a role binding applies to. This + can either hold a direct API object reference, or a + value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + description: APIGroup holds the API group of the referenced + subject. Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User + and Group subjects. type: string kind: - description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + description: Kind of object being referenced. Values + defined by this API group are "User", "Group", and + "ServiceAccount". If the Authorizer does not recognized + the kind value, the Authorizer should report an + error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + description: Namespace of the referenced object. If + the object kind is non-namespace, such as "User" + or "Group", and this value is not empty the Authorizer + should report an error. type: string required: - kind @@ -211,7 +327,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to populate each generated resource. At most one of Data or Clone can be specified. If neither are provided, the generated resource will be created with default data only. + description: Clone specifies the source resource used to + populate each generated resource. At most one of Data + or Clone can be specified. If neither are provided, the + generated resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -221,7 +340,10 @@ spec: type: string type: object data: - description: Data provides the resource declaration used to populate each generated resource. At most one of Data or Clone must be specified. If neither are provided, the generated resource will be created with default data only. + description: Data provides the resource declaration used + to populate each generated resource. At most one of Data + or Clone must be specified. If neither are provided, the + generated resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -233,24 +355,40 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources should be kept in-sync with their source resource. If Synchronize is set to "true" changes to generated resources will be overwritten with resource data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. + description: Synchronize controls if generated resources + should be kept in-sync with their source resource. If + Synchronize is set to "true" changes to generated resources + will be overwritten with resource data from Data or the + resource specified in the Clone declaration. Optional. + Defaults to "false" if not specified. type: boolean type: object match: - description: MatchResources defines when this policy rule should be applied. The match criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required. + description: MatchResources defines when this policy rule should + be applied. The match criteria can include resource information + (e.g. kind, name, namespace, labels) and admission review + request information like the user name or role. At least one + kind is required. properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide role names for the user. + description: ClusterRoles is the list of cluster-wide role + names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about the resource being created or modified. Requires at least one tag to be specified when under MatchResources. + description: ResourceDescription contains information about + the resource being created or modified. Requires at least + one tag to be specified when under MatchResources. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + description: Annotations is a map of annotations (key-value + pairs of type string). Annotation keys and values + support the wildcard characters "*" (matches zero + or many characters) and "?" (matches at least one + character). type: object kinds: description: Kinds is a list of resource kinds. @@ -258,24 +396,44 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Name is the name of the resource. The name + supports wildcard characters "*" (matches zero or + many characters) and "?" (at least one character). type: string namespaceSelector: - description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` + (matches zero or many characters) and `?` (matches + one character).Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. items: type: string type: array @@ -287,30 +445,54 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. type: object type: object namespaces: - description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces names. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'Selector is a label selector. Label keys + and values in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` (matches + one character). Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. items: type: string type: array @@ -322,31 +504,51 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names for the user. + description: Roles is the list of namespaced role names + for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like users, user groups, and service accounts. + description: Subjects is the list of subject names like + users, user groups, and service accounts. items: - description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + description: Subject contains a reference to the object + or user identities a role binding applies to. This + can either hold a direct API object reference, or a + value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + description: APIGroup holds the API group of the referenced + subject. Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User + and Group subjects. type: string kind: - description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + description: Kind of object being referenced. Values + defined by this API group are "User", "Group", and + "ServiceAccount". If the Authorizer does not recognized + the kind value, the Authorizer should report an + error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + description: Namespace of the referenced object. If + the object kind is non-namespace, such as "User" + or "Group", and this value is not empty the Authorizer + should report an error. type: string required: - kind @@ -358,18 +560,25 @@ spec: description: Mutation is used to modify matching resources. properties: overlay: - description: Overlay specifies an overlay pattern to modify resources. DEPRECATED. Use PatchStrategicMerge instead. Scheduled for removal in release 1.5+. + description: Overlay specifies an overlay pattern to modify + resources. DEPRECATED. Use PatchStrategicMerge instead. + Scheduled for removal in release 1.5+. x-kubernetes-preserve-unknown-fields: true patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + description: PatchStrategicMerge is a strategic merge patch + used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patches: - description: Patches specifies a RFC 6902 JSON Patch to modify resources. DEPRECATED. Use PatchesJSON6902 instead. Scheduled for removal in release 1.5+. + description: Patches specifies a RFC 6902 JSON Patch to + modify resources. DEPRECATED. Use PatchesJSON6902 instead. + Scheduled for removal in release 1.5+. items: description: 'Patch is a RFC 6902 JSON Patch. See: https://tools.ietf.org/html/rfc6902' properties: op: - description: Operation specifies operations supported by JSON Patch. i.e:- add, replace and delete. + description: Operation specifies operations supported + by JSON Patch. i.e:- add, replace and delete. type: string path: description: Path specifies path of the resource. @@ -382,98 +591,133 @@ spec: type: array x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: PatchesJSON6902 is a list of RFC 6902 JSON + Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string type: object name: - description: Name is a label to identify the rule, It must be unique within the policy. + description: Name is a label to identify the rule, It must be + unique within the policy. maxLength: 63 type: string preconditions: - description: AnyAllConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. This too can be made to happen in a logical-manner where in some situation all the conditions need to pass and in some other situation, atleast one condition is enough to pass. For the sake of backwards compatibility, it can be populated with []kyverno.Condition. + description: AnyAllConditions enable variable-based conditional + rule execution. This is useful for finer control of when an + rule is applied. A condition can reference object data using + JMESPath notation. This too can be made to happen in a logical-manner + where in some situation all the conditions need to pass and + in some other situation, atleast one condition is enough to + pass. For the sake of backwards compatibility, it can be populated + with []kyverno.Condition. x-kubernetes-preserve-unknown-fields: true validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. At least one of the patterns must be satisfied for the validation rule to succeed. + description: AnyPattern specifies list of validation patterns. + At least one of the patterns must be satisfied for the + validation rule to succeed. x-kubernetes-preserve-unknown-fields: true deny: - description: Deny defines conditions to fail the validation rule. + description: Deny defines conditions to fail the validation + rule. properties: conditions: - description: specifies the set of conditions to deny in a logical manner For the sake of backwards compatibility, it can be populated with []kyverno.Condition. + description: specifies the set of conditions to deny + in a logical manner For the sake of backwards compatibility, + it can be populated with []kyverno.Condition. x-kubernetes-preserve-unknown-fields: true type: object message: - description: Message specifies a custom message to be displayed on failure. + description: Message specifies a custom message to be displayed + on failure. type: string pattern: - description: Pattern specifies an overlay-style pattern used to check resources. + description: Pattern specifies an overlay-style pattern + used to check resources. x-kubernetes-preserve-unknown-fields: true type: object type: object type: array validationFailureAction: - description: ValidationFailureAction controls if a validation policy rule failure should disallow the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. The default value is "audit". + description: ValidationFailureAction controls if a validation policy + rule failure should disallow the admission review request (enforce), + or allow (audit) the admission review request and report an error + in a policy report. Optional. The default value is "audit". type: string type: object status: description: Status contains policy runtime data. properties: averageExecutionTime: - description: AvgExecutionTime is the average time taken to process the policy rules on a resource. + description: AvgExecutionTime is the average time taken to process + the policy rules on a resource. type: string resourcesBlockedCount: - description: ResourcesBlockedCount is the total count of admission review requests that were blocked by this policy. + description: ResourcesBlockedCount is the total count of admission + review requests that were blocked by this policy. type: integer resourcesGeneratedCount: - description: ResourcesGeneratedCount is the total count of resources that were generated by this policy. + description: ResourcesGeneratedCount is the total count of resources + that were generated by this policy. type: integer resourcesMutatedCount: - description: ResourcesMutatedCount is the total count of resources that were mutated by this policy. + description: ResourcesMutatedCount is the total count of resources + that were mutated by this policy. type: integer ruleStatus: description: Rules provides per rule statistics items: - description: RuleStats provides statistics for an individual rule within a policy. + description: RuleStats provides statistics for an individual rule + within a policy. properties: appliedCount: - description: AppliedCount is the total number of times this rule was applied. + description: AppliedCount is the total number of times this + rule was applied. type: integer averageExecutionTime: - description: ExecutionTime is the average time taken to execute this rule. + description: ExecutionTime is the average time taken to execute + this rule. type: string failedCount: - description: FailedCount is the total count of policy error results for this rule. + description: FailedCount is the total count of policy error + results for this rule. type: integer resourcesBlockedCount: - description: ResourcesBlockedCount is the total count of admission review requests that were blocked by this rule. + description: ResourcesBlockedCount is the total count of admission + review requests that were blocked by this rule. type: integer resourcesGeneratedCount: - description: ResourcesGeneratedCount is the total count of resources that were generated by this rule. + description: ResourcesGeneratedCount is the total count of resources + that were generated by this rule. type: integer resourcesMutatedCount: - description: ResourcesMutatedCount is the total count of resources that were mutated by this rule. + description: ResourcesMutatedCount is the total count of resources + that were mutated by this rule. type: integer ruleName: description: Name is the rule name. type: string violationCount: - description: ViolationCount is the total count of policy failure results for this rule. + description: ViolationCount is the total count of policy failure + results for this rule. type: integer required: - ruleName type: object type: array rulesAppliedCount: - description: RulesAppliedCount is the total number of times this policy was applied. + description: RulesAppliedCount is the total number of times this policy + was applied. type: integer rulesFailedCount: - description: RulesFailedCount is the total count of policy execution errors for this policy. + description: RulesFailedCount is the total count of policy execution + errors for this policy. type: integer violationCount: - description: ViolationCount is the total count of policy failure results for this policy. + description: ViolationCount is the total count of policy failure results + for this policy. type: integer type: object required: @@ -496,6 +740,13 @@ metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.0 creationTimestamp: null + labels: + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.3.6-rc1 name: clusterpolicyreports.wgpolicyk8s.io spec: group: wgpolicyk8s.io @@ -538,20 +789,26 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: ClusterPolicyReport is the Schema for the clusterpolicyreports API + description: ClusterPolicyReport is the Schema for the clusterpolicyreports + API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual policy + description: PolicyReportResult provides the result for an individual + policy properties: category: description: Category indicates policy category @@ -559,30 +816,46 @@ spec: data: additionalProperties: type: string - description: Data provides additional information for the policy rule + description: Data provides additional information for the policy + rule type: object message: - description: Message is a short user friendly description of the policy rule + description: Message is a short user friendly description of the + policy rule type: string policy: description: Policy is the name of the policy type: string resourceSelector: - description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. + description: ResourceSelector is an optional selector for policy + results that apply to multiple resources. For example, a policy + result may apply to all pods that match a label. Either a Resource + or a ResourceSelector can be specified. If neither are provided, + the result is assumed to be for the policy report scope. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the + key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector applies + to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a + strategic merge patch. items: type: string type: array @@ -594,19 +867,58 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. type: object type: object resources: - description: Resources is an optional reference to the resource checked by the policy and rule + description: Resources is an optional reference to the resource + checked by the policy and rule items: - description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' + description: 'ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many + fields which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. + Invalid usage help. It is impossible to add specific help for + individual usage. In most embedded usages, there are particular restrictions + like, "must refer only to types A and B" or "UID not honored" + or "name must be restricted". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, + which makes it hard for users to predict what will happen. 4. + The fields are both imprecise and overly precise. Kind is not + a precise mapping to a URL. This can produce ambiguity during + interpretation and require a REST mapping. In most cases, the + dependency is on the group,resource tuple and the version + of the actual struct is irrelevant. 5. We cannot easily change + it. Because this type is embedded in many locations, updates + to this type will affect numerous schemas. Don''t make + new APIs embed an underspecified API type they do not control. + Instead of using this type, create a locally provided and used + type that is well-focused on your reference. For example, ServiceReferences + for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + .' properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead + of an entire object, this string should contain a valid + JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part + of an object. TODO: this design is not final and this field + is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -618,7 +930,8 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' @@ -652,13 +965,23 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. + a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire + object, this string should contain a valid JSON/Go field access + statement, such as desiredState.manifest.containers[2]. For example, + if the object reference is to a container within a pod, this would + take on a value like: "spec.containers{name}" (where "name" refers + to the name of the container that triggered the event) or if no + container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined + way of referencing a part of an object. TODO: this design is not + final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -670,28 +993,39 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is + made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. + description: ScopeSelector is an optional selector for multiple scopes + (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector + should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains + values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector applies + to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set + of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. If the operator + is In or NotIn, the values array must be non-empty. If the + operator is Exists or DoesNotExist, the values array must + be empty. This array is replaced during a strategic merge + patch. items: type: string type: array @@ -703,26 +1037,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be evaluated + description: Error provides the count of policies that could not be + evaluated type: integer fail: - description: Fail provides the count of policies whose requirements were not met + description: Fail provides the count of policies whose requirements + were not met type: integer pass: - description: Pass provides the count of policies whose requirements were met + description: Pass provides the count of policies whose requirements + were met type: integer skip: - description: Skip indicates the count of policies that were not selected for evaluation + description: Skip indicates the count of policies that were not selected + for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements were not met + description: Warn provides the count of unscored policies whose requirements + were not met type: integer type: object type: object @@ -742,6 +1084,13 @@ metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.0 creationTimestamp: null + labels: + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.3.6-rc1 name: clusterreportchangerequests.kyverno.io spec: group: kyverno.io @@ -784,20 +1133,26 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: ClusterReportChangeRequest is the Schema for the ClusterReportChangeRequests API + description: ClusterReportChangeRequest is the Schema for the ClusterReportChangeRequests + API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual policy + description: PolicyReportResult provides the result for an individual + policy properties: category: description: Category indicates policy category @@ -805,30 +1160,46 @@ spec: data: additionalProperties: type: string - description: Data provides additional information for the policy rule + description: Data provides additional information for the policy + rule type: object message: - description: Message is a short user friendly description of the policy rule + description: Message is a short user friendly description of the + policy rule type: string policy: description: Policy is the name of the policy type: string resourceSelector: - description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. + description: ResourceSelector is an optional selector for policy + results that apply to multiple resources. For example, a policy + result may apply to all pods that match a label. Either a Resource + or a ResourceSelector can be specified. If neither are provided, + the result is assumed to be for the policy report scope. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the + key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector applies + to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a + strategic merge patch. items: type: string type: array @@ -840,19 +1211,58 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. type: object type: object resources: - description: Resources is an optional reference to the resource checked by the policy and rule + description: Resources is an optional reference to the resource + checked by the policy and rule items: - description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' + description: 'ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many + fields which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. + Invalid usage help. It is impossible to add specific help for + individual usage. In most embedded usages, there are particular restrictions + like, "must refer only to types A and B" or "UID not honored" + or "name must be restricted". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, + which makes it hard for users to predict what will happen. 4. + The fields are both imprecise and overly precise. Kind is not + a precise mapping to a URL. This can produce ambiguity during + interpretation and require a REST mapping. In most cases, the + dependency is on the group,resource tuple and the version + of the actual struct is irrelevant. 5. We cannot easily change + it. Because this type is embedded in many locations, updates + to this type will affect numerous schemas. Don''t make + new APIs embed an underspecified API type they do not control. + Instead of using this type, create a locally provided and used + type that is well-focused on your reference. For example, ServiceReferences + for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + .' properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead + of an entire object, this string should contain a valid + JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part + of an object. TODO: this design is not final and this field + is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -864,7 +1274,8 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' @@ -898,13 +1309,23 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. + a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire + object, this string should contain a valid JSON/Go field access + statement, such as desiredState.manifest.containers[2]. For example, + if the object reference is to a container within a pod, this would + take on a value like: "spec.containers{name}" (where "name" refers + to the name of the container that triggered the event) or if no + container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined + way of referencing a part of an object. TODO: this design is not + final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -916,28 +1337,39 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is + made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. + description: ScopeSelector is an optional selector for multiple scopes + (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector + should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains + values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector applies + to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set + of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. If the operator + is In or NotIn, the values array must be non-empty. If the + operator is Exists or DoesNotExist, the values array must + be empty. This array is replaced during a strategic merge + patch. items: type: string type: array @@ -949,26 +1381,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be evaluated + description: Error provides the count of policies that could not be + evaluated type: integer fail: - description: Fail provides the count of policies whose requirements were not met + description: Fail provides the count of policies whose requirements + were not met type: integer pass: - description: Pass provides the count of policies whose requirements were met + description: Pass provides the count of policies whose requirements + were met type: integer skip: - description: Skip indicates the count of policies that were not selected for evaluation + description: Skip indicates the count of policies that were not selected + for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements were not met + description: Warn provides the count of unscored policies whose requirements + were not met type: integer type: object type: object @@ -988,6 +1428,13 @@ metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.0 creationTimestamp: null + labels: + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.3.6-rc1 name: generaterequests.kyverno.io spec: group: kyverno.io @@ -1025,10 +1472,14 @@ spec: description: GenerateRequest is a request to process generate rule. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -1039,10 +1490,12 @@ spec: description: Context ... properties: userInfo: - description: RequestInfo contains permission info carried in an admission request. + description: RequestInfo contains permission info carried in an + admission request. properties: clusterRoles: - description: ClusterRoles is a list of possible clusterRoles send the request. + description: ClusterRoles is a list of possible clusterRoles + send the request. items: type: string nullable: true @@ -1054,15 +1507,18 @@ spec: nullable: true type: array userInfo: - description: UserInfo is the userInfo carried in the admission request. + description: UserInfo is the userInfo carried in the admission + request. properties: extra: additionalProperties: - description: ExtraValue masks the value so protobuf can generate + description: ExtraValue masks the value so protobuf + can generate items: type: string type: array - description: Any additional information provided by the authenticator. + description: Any additional information provided by the + authenticator. type: object groups: description: The names of groups this user is a part of. @@ -1070,10 +1526,14 @@ spec: type: string type: array uid: - description: A unique value that identifies this user across time. If this user is deleted and another user by the same name is added, they will have different UIDs. + description: A unique value that identifies this user + across time. If this user is deleted and another user + by the same name is added, they will have different + UIDs. type: string username: - description: The name that uniquely identifies this user among all active users. + description: The name that uniquely identifies this user + among all active users. type: string type: object type: object @@ -1082,7 +1542,8 @@ spec: description: Specifies the name of the policy. type: string resource: - description: ResourceSpec is the information to identify the generate request. + description: ResourceSpec is the information to identify the generate + request. properties: apiVersion: description: APIVersion specifies resource apiVersion. @@ -1106,7 +1567,8 @@ spec: description: Status contains statistics related to generate request. properties: generatedResources: - description: This will track the resources that are generated by the generate Policy. Will be used during clean up resources. + description: This will track the resources that are generated by the + generate Policy. Will be used during clean up resources. items: description: ResourceSpec contains information to identify a resource. properties: @@ -1153,6 +1615,13 @@ metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.0 creationTimestamp: null + labels: + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.3.6-rc1 name: policies.kyverno.io spec: group: kyverno.io @@ -1175,13 +1644,19 @@ spec: name: v1 schema: openAPIV3Schema: - description: 'Policy declares validation, mutation, and generation behaviors for matching resources. See: https://kyverno.io/docs/writing-policies/ for more information.' + description: 'Policy declares validation, mutation, and generation behaviors + for matching resources. See: https://kyverno.io/docs/writing-policies/ for + more information.' properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -1189,26 +1664,49 @@ spec: description: Spec defines policy behaviors and contains one or rules. properties: background: - description: Background controls if rules are applied to existing resources during a background scan. Optional. Default value is "true". The value must be set to "false" if the policy rule uses variables that are only available in the admission review request (e.g. user name). + description: Background controls if rules are applied to existing + resources during a background scan. Optional. Default value is "true". + The value must be set to "false" if the policy rule uses variables + that are only available in the admission review request (e.g. user + name). type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains multiple rules and each rule can validate, mutate, or generate resources. + description: Rules is a list of Rule instances. A Policy contains + multiple rules and each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation control for matching resources. Each rules contains a match declaration to select resources, and an optional exclude declaration to specify which resources to exclude. + description: Rule defines a validation, mutation, or generation + control for matching resources. Each rules contains a match declaration + to select resources, and an optional exclude declaration to specify + which resources to exclude. properties: context: - description: Context defines variables and data sources that can be used during rule execution. + description: Context defines variables and data sources that + can be used during rule execution. items: - description: ContextEntry adds variables and data sources to a rule Context. Either a ConfigMap reference or a APILookup must be provided. + description: ContextEntry adds variables and data sources + to a rule Context. Either a ConfigMap reference or a APILookup + must be provided. properties: apiCall: - description: APICall defines an HTTP request to the Kubernetes API server. The JSON data retrieved is stored in the context. + description: APICall defines an HTTP request to the Kubernetes + API server. The JSON data retrieved is stored in the + context. properties: jmesPath: - description: JMESPath is an optional JSON Match Expression that can be used to transform the JSON response returned from the API server. For example a JMESPath of "items | length(@)" applied to the API server response to the URLPath "/apis/apps/v1/deployments" will return the total count of deployments across all namespaces. + description: JMESPath is an optional JSON Match Expression + that can be used to transform the JSON response + returned from the API server. For example a JMESPath + of "items | length(@)" applied to the API server + response to the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments across + all namespaces. type: string urlPath: - description: URLPath is the URL path to be used in the HTTP GET request to the Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used by the `kubectl get --raw` command. + description: URLPath is the URL path to be used in + the HTTP GET request to the Kubernetes API server + (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the + `kubectl get --raw` command. type: string required: - urlPath @@ -1231,20 +1729,29 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role. + description: ExcludeResources defines when this policy rule + should not be applied. The exclude criteria can include resource + information (e.g. kind, name, namespace, labels) and admission + review request information like the name or role. properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide role names for the user. + description: ClusterRoles is the list of cluster-wide role + names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about the resource being created or modified. + description: ResourceDescription contains information about + the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + description: Annotations is a map of annotations (key-value + pairs of type string). Annotation keys and values + support the wildcard characters "*" (matches zero + or many characters) and "?" (matches at least one + character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1252,24 +1759,44 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Name is the name of the resource. The name + supports wildcard characters "*" (matches zero or + many characters) and "?" (at least one character). type: string namespaceSelector: - description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` + (matches zero or many characters) and `?` (matches + one character).Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. items: type: string type: array @@ -1281,30 +1808,54 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. type: object type: object namespaces: - description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces names. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'Selector is a label selector. Label keys + and values in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` (matches + one character). Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. items: type: string type: array @@ -1316,31 +1867,51 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names for the user. + description: Roles is the list of namespaced role names + for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like users, user groups, and service accounts. + description: Subjects is the list of subject names like + users, user groups, and service accounts. items: - description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + description: Subject contains a reference to the object + or user identities a role binding applies to. This + can either hold a direct API object reference, or a + value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + description: APIGroup holds the API group of the referenced + subject. Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User + and Group subjects. type: string kind: - description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + description: Kind of object being referenced. Values + defined by this API group are "User", "Group", and + "ServiceAccount". If the Authorizer does not recognized + the kind value, the Authorizer should report an + error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + description: Namespace of the referenced object. If + the object kind is non-namespace, such as "User" + or "Group", and this value is not empty the Authorizer + should report an error. type: string required: - kind @@ -1355,7 +1926,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to populate each generated resource. At most one of Data or Clone can be specified. If neither are provided, the generated resource will be created with default data only. + description: Clone specifies the source resource used to + populate each generated resource. At most one of Data + or Clone can be specified. If neither are provided, the + generated resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -1365,7 +1939,10 @@ spec: type: string type: object data: - description: Data provides the resource declaration used to populate each generated resource. At most one of Data or Clone must be specified. If neither are provided, the generated resource will be created with default data only. + description: Data provides the resource declaration used + to populate each generated resource. At most one of Data + or Clone must be specified. If neither are provided, the + generated resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -1377,24 +1954,40 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources should be kept in-sync with their source resource. If Synchronize is set to "true" changes to generated resources will be overwritten with resource data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. + description: Synchronize controls if generated resources + should be kept in-sync with their source resource. If + Synchronize is set to "true" changes to generated resources + will be overwritten with resource data from Data or the + resource specified in the Clone declaration. Optional. + Defaults to "false" if not specified. type: boolean type: object match: - description: MatchResources defines when this policy rule should be applied. The match criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required. + description: MatchResources defines when this policy rule should + be applied. The match criteria can include resource information + (e.g. kind, name, namespace, labels) and admission review + request information like the user name or role. At least one + kind is required. properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide role names for the user. + description: ClusterRoles is the list of cluster-wide role + names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about the resource being created or modified. Requires at least one tag to be specified when under MatchResources. + description: ResourceDescription contains information about + the resource being created or modified. Requires at least + one tag to be specified when under MatchResources. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + description: Annotations is a map of annotations (key-value + pairs of type string). Annotation keys and values + support the wildcard characters "*" (matches zero + or many characters) and "?" (matches at least one + character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1402,24 +1995,44 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Name is the name of the resource. The name + supports wildcard characters "*" (matches zero or + many characters) and "?" (at least one character). type: string namespaceSelector: - description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` + (matches zero or many characters) and `?` (matches + one character).Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. items: type: string type: array @@ -1431,30 +2044,54 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. type: object type: object namespaces: - description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces names. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'Selector is a label selector. Label keys + and values in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` (matches + one character). Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. items: type: string type: array @@ -1466,31 +2103,51 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names for the user. + description: Roles is the list of namespaced role names + for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like users, user groups, and service accounts. + description: Subjects is the list of subject names like + users, user groups, and service accounts. items: - description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + description: Subject contains a reference to the object + or user identities a role binding applies to. This + can either hold a direct API object reference, or a + value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + description: APIGroup holds the API group of the referenced + subject. Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User + and Group subjects. type: string kind: - description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + description: Kind of object being referenced. Values + defined by this API group are "User", "Group", and + "ServiceAccount". If the Authorizer does not recognized + the kind value, the Authorizer should report an + error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + description: Namespace of the referenced object. If + the object kind is non-namespace, such as "User" + or "Group", and this value is not empty the Authorizer + should report an error. type: string required: - kind @@ -1502,18 +2159,25 @@ spec: description: Mutation is used to modify matching resources. properties: overlay: - description: Overlay specifies an overlay pattern to modify resources. DEPRECATED. Use PatchStrategicMerge instead. Scheduled for removal in release 1.5+. + description: Overlay specifies an overlay pattern to modify + resources. DEPRECATED. Use PatchStrategicMerge instead. + Scheduled for removal in release 1.5+. x-kubernetes-preserve-unknown-fields: true patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + description: PatchStrategicMerge is a strategic merge patch + used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patches: - description: Patches specifies a RFC 6902 JSON Patch to modify resources. DEPRECATED. Use PatchesJSON6902 instead. Scheduled for removal in release 1.5+. + description: Patches specifies a RFC 6902 JSON Patch to + modify resources. DEPRECATED. Use PatchesJSON6902 instead. + Scheduled for removal in release 1.5+. items: description: 'Patch is a RFC 6902 JSON Patch. See: https://tools.ietf.org/html/rfc6902' properties: op: - description: Operation specifies operations supported by JSON Patch. i.e:- add, replace and delete. + description: Operation specifies operations supported + by JSON Patch. i.e:- add, replace and delete. type: string path: description: Path specifies path of the resource. @@ -1526,98 +2190,133 @@ spec: type: array x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: PatchesJSON6902 is a list of RFC 6902 JSON + Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string type: object name: - description: Name is a label to identify the rule, It must be unique within the policy. + description: Name is a label to identify the rule, It must be + unique within the policy. maxLength: 63 type: string preconditions: - description: AnyAllConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. This too can be made to happen in a logical-manner where in some situation all the conditions need to pass and in some other situation, atleast one condition is enough to pass. For the sake of backwards compatibility, it can be populated with []kyverno.Condition. + description: AnyAllConditions enable variable-based conditional + rule execution. This is useful for finer control of when an + rule is applied. A condition can reference object data using + JMESPath notation. This too can be made to happen in a logical-manner + where in some situation all the conditions need to pass and + in some other situation, atleast one condition is enough to + pass. For the sake of backwards compatibility, it can be populated + with []kyverno.Condition. x-kubernetes-preserve-unknown-fields: true validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. At least one of the patterns must be satisfied for the validation rule to succeed. + description: AnyPattern specifies list of validation patterns. + At least one of the patterns must be satisfied for the + validation rule to succeed. x-kubernetes-preserve-unknown-fields: true deny: - description: Deny defines conditions to fail the validation rule. + description: Deny defines conditions to fail the validation + rule. properties: conditions: - description: specifies the set of conditions to deny in a logical manner For the sake of backwards compatibility, it can be populated with []kyverno.Condition. + description: specifies the set of conditions to deny + in a logical manner For the sake of backwards compatibility, + it can be populated with []kyverno.Condition. x-kubernetes-preserve-unknown-fields: true type: object message: - description: Message specifies a custom message to be displayed on failure. + description: Message specifies a custom message to be displayed + on failure. type: string pattern: - description: Pattern specifies an overlay-style pattern used to check resources. + description: Pattern specifies an overlay-style pattern + used to check resources. x-kubernetes-preserve-unknown-fields: true type: object type: object type: array validationFailureAction: - description: ValidationFailureAction controls if a validation policy rule failure should disallow the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. The default value is "audit". + description: ValidationFailureAction controls if a validation policy + rule failure should disallow the admission review request (enforce), + or allow (audit) the admission review request and report an error + in a policy report. Optional. The default value is "audit". type: string type: object status: description: Status contains policy runtime information. properties: averageExecutionTime: - description: AvgExecutionTime is the average time taken to process the policy rules on a resource. + description: AvgExecutionTime is the average time taken to process + the policy rules on a resource. type: string resourcesBlockedCount: - description: ResourcesBlockedCount is the total count of admission review requests that were blocked by this policy. + description: ResourcesBlockedCount is the total count of admission + review requests that were blocked by this policy. type: integer resourcesGeneratedCount: - description: ResourcesGeneratedCount is the total count of resources that were generated by this policy. + description: ResourcesGeneratedCount is the total count of resources + that were generated by this policy. type: integer resourcesMutatedCount: - description: ResourcesMutatedCount is the total count of resources that were mutated by this policy. + description: ResourcesMutatedCount is the total count of resources + that were mutated by this policy. type: integer ruleStatus: description: Rules provides per rule statistics items: - description: RuleStats provides statistics for an individual rule within a policy. + description: RuleStats provides statistics for an individual rule + within a policy. properties: appliedCount: - description: AppliedCount is the total number of times this rule was applied. + description: AppliedCount is the total number of times this + rule was applied. type: integer averageExecutionTime: - description: ExecutionTime is the average time taken to execute this rule. + description: ExecutionTime is the average time taken to execute + this rule. type: string failedCount: - description: FailedCount is the total count of policy error results for this rule. + description: FailedCount is the total count of policy error + results for this rule. type: integer resourcesBlockedCount: - description: ResourcesBlockedCount is the total count of admission review requests that were blocked by this rule. + description: ResourcesBlockedCount is the total count of admission + review requests that were blocked by this rule. type: integer resourcesGeneratedCount: - description: ResourcesGeneratedCount is the total count of resources that were generated by this rule. + description: ResourcesGeneratedCount is the total count of resources + that were generated by this rule. type: integer resourcesMutatedCount: - description: ResourcesMutatedCount is the total count of resources that were mutated by this rule. + description: ResourcesMutatedCount is the total count of resources + that were mutated by this rule. type: integer ruleName: description: Name is the rule name. type: string violationCount: - description: ViolationCount is the total count of policy failure results for this rule. + description: ViolationCount is the total count of policy failure + results for this rule. type: integer required: - ruleName type: object type: array rulesAppliedCount: - description: RulesAppliedCount is the total number of times this policy was applied. + description: RulesAppliedCount is the total number of times this policy + was applied. type: integer rulesFailedCount: - description: RulesFailedCount is the total count of policy execution errors for this policy. + description: RulesFailedCount is the total count of policy execution + errors for this policy. type: integer violationCount: - description: ViolationCount is the total count of policy failure results for this policy. + description: ViolationCount is the total count of policy failure results + for this policy. type: integer type: object required: @@ -1640,6 +2339,13 @@ metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.0 creationTimestamp: null + labels: + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.3.6-rc1 name: policyreports.wgpolicyk8s.io spec: group: wgpolicyk8s.io @@ -1685,17 +2391,22 @@ spec: description: PolicyReport is the Schema for the policyreports API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual policy + description: PolicyReportResult provides the result for an individual + policy properties: category: description: Category indicates policy category @@ -1703,30 +2414,46 @@ spec: data: additionalProperties: type: string - description: Data provides additional information for the policy rule + description: Data provides additional information for the policy + rule type: object message: - description: Message is a short user friendly description of the policy rule + description: Message is a short user friendly description of the + policy rule type: string policy: description: Policy is the name of the policy type: string resourceSelector: - description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. + description: ResourceSelector is an optional selector for policy + results that apply to multiple resources. For example, a policy + result may apply to all pods that match a label. Either a Resource + or a ResourceSelector can be specified. If neither are provided, + the result is assumed to be for the policy report scope. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the + key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector applies + to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a + strategic merge patch. items: type: string type: array @@ -1738,19 +2465,58 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. type: object type: object resources: - description: Resources is an optional reference to the resource checked by the policy and rule + description: Resources is an optional reference to the resource + checked by the policy and rule items: - description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' + description: 'ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many + fields which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. + Invalid usage help. It is impossible to add specific help for + individual usage. In most embedded usages, there are particular restrictions + like, "must refer only to types A and B" or "UID not honored" + or "name must be restricted". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, + which makes it hard for users to predict what will happen. 4. + The fields are both imprecise and overly precise. Kind is not + a precise mapping to a URL. This can produce ambiguity during + interpretation and require a REST mapping. In most cases, the + dependency is on the group,resource tuple and the version + of the actual struct is irrelevant. 5. We cannot easily change + it. Because this type is embedded in many locations, updates + to this type will affect numerous schemas. Don''t make + new APIs embed an underspecified API type they do not control. + Instead of using this type, create a locally provided and used + type that is well-focused on your reference. For example, ServiceReferences + for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + .' properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead + of an entire object, this string should contain a valid + JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part + of an object. TODO: this design is not final and this field + is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -1762,7 +2528,8 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' @@ -1796,13 +2563,23 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. + a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire + object, this string should contain a valid JSON/Go field access + statement, such as desiredState.manifest.containers[2]. For example, + if the object reference is to a container within a pod, this would + take on a value like: "spec.containers{name}" (where "name" refers + to the name of the container that triggered the event) or if no + container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined + way of referencing a part of an object. TODO: this design is not + final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -1814,28 +2591,39 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is + made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. + description: ScopeSelector is an optional selector for multiple scopes + (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector + should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains + values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector applies + to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set + of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. If the operator + is In or NotIn, the values array must be non-empty. If the + operator is Exists or DoesNotExist, the values array must + be empty. This array is replaced during a strategic merge + patch. items: type: string type: array @@ -1847,26 +2635,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be evaluated + description: Error provides the count of policies that could not be + evaluated type: integer fail: - description: Fail provides the count of policies whose requirements were not met + description: Fail provides the count of policies whose requirements + were not met type: integer pass: - description: Pass provides the count of policies whose requirements were met + description: Pass provides the count of policies whose requirements + were met type: integer skip: - description: Skip indicates the count of policies that were not selected for evaluation + description: Skip indicates the count of policies that were not selected + for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements were not met + description: Warn provides the count of unscored policies whose requirements + were not met type: integer type: object type: object @@ -1886,6 +2682,13 @@ metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.0 creationTimestamp: null + labels: + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.3.6-rc1 name: reportchangerequests.kyverno.io spec: group: kyverno.io @@ -1928,20 +2731,26 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: ReportChangeRequest is the Schema for the ReportChangeRequests API + description: ReportChangeRequest is the Schema for the ReportChangeRequests + API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual policy + description: PolicyReportResult provides the result for an individual + policy properties: category: description: Category indicates policy category @@ -1949,30 +2758,46 @@ spec: data: additionalProperties: type: string - description: Data provides additional information for the policy rule + description: Data provides additional information for the policy + rule type: object message: - description: Message is a short user friendly description of the policy rule + description: Message is a short user friendly description of the + policy rule type: string policy: description: Policy is the name of the policy type: string resourceSelector: - description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. + description: ResourceSelector is an optional selector for policy + results that apply to multiple resources. For example, a policy + result may apply to all pods that match a label. Either a Resource + or a ResourceSelector can be specified. If neither are provided, + the result is assumed to be for the policy report scope. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the + key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector applies + to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a + strategic merge patch. items: type: string type: array @@ -1984,19 +2809,58 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. type: object type: object resources: - description: Resources is an optional reference to the resource checked by the policy and rule + description: Resources is an optional reference to the resource + checked by the policy and rule items: - description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' + description: 'ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many + fields which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. + Invalid usage help. It is impossible to add specific help for + individual usage. In most embedded usages, there are particular restrictions + like, "must refer only to types A and B" or "UID not honored" + or "name must be restricted". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, + which makes it hard for users to predict what will happen. 4. + The fields are both imprecise and overly precise. Kind is not + a precise mapping to a URL. This can produce ambiguity during + interpretation and require a REST mapping. In most cases, the + dependency is on the group,resource tuple and the version + of the actual struct is irrelevant. 5. We cannot easily change + it. Because this type is embedded in many locations, updates + to this type will affect numerous schemas. Don''t make + new APIs embed an underspecified API type they do not control. + Instead of using this type, create a locally provided and used + type that is well-focused on your reference. For example, ServiceReferences + for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + .' properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead + of an entire object, this string should contain a valid + JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part + of an object. TODO: this design is not final and this field + is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -2008,7 +2872,8 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' @@ -2042,13 +2907,23 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. + a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire + object, this string should contain a valid JSON/Go field access + statement, such as desiredState.manifest.containers[2]. For example, + if the object reference is to a container within a pod, this would + take on a value like: "spec.containers{name}" (where "name" refers + to the name of the container that triggered the event) or if no + container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined + way of referencing a part of an object. TODO: this design is not + final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -2060,28 +2935,39 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is + made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. + description: ScopeSelector is an optional selector for multiple scopes + (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector + should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains + values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector applies + to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set + of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. If the operator + is In or NotIn, the values array must be non-empty. If the + operator is Exists or DoesNotExist, the values array must + be empty. This array is replaced during a strategic merge + patch. items: type: string type: array @@ -2093,26 +2979,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be evaluated + description: Error provides the count of policies that could not be + evaluated type: integer fail: - description: Fail provides the count of policies whose requirements were not met + description: Fail provides the count of policies whose requirements + were not met type: integer pass: - description: Pass provides the count of policies whose requirements were met + description: Pass provides the count of policies whose requirements + were met type: integer skip: - description: Skip indicates the count of policies that were not selected for evaluation + description: Skip indicates the count of policies that were not selected + for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements were not met + description: Warn provides the count of unscored policies whose requirements + were not met type: integer type: object type: object @@ -2129,6 +3023,14 @@ status: apiVersion: v1 kind: ServiceAccount metadata: + labels: + app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.3.6-rc1 name: kyverno-service-account namespace: kyverno --- @@ -2136,6 +3038,13 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: + app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.3.6-rc1 rbac.authorization.k8s.io/aggregate-to-admin: "true" name: kyverno:admin-policies rules: @@ -2151,6 +3060,13 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: + app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.3.6-rc1 rbac.authorization.k8s.io/aggregate-to-admin: "true" name: kyverno:admin-policyreport rules: @@ -2166,6 +3082,13 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: + app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.3.6-rc1 rbac.authorization.k8s.io/aggregate-to-admin: "true" name: kyverno:admin-reportchangerequest rules: @@ -2180,6 +3103,14 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + labels: + app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.3.6-rc1 name: kyverno:customresources rules: - apiGroups: @@ -2217,6 +3148,14 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + labels: + app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.3.6-rc1 name: kyverno:generatecontroller rules: - apiGroups: @@ -2244,6 +3183,14 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + app: kyverno + labels: + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.3.6-rc1 name: kyverno:policycontroller rules: - apiGroups: @@ -2259,6 +3206,14 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + labels: + app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.3.6-rc1 name: kyverno:userinfo rules: - apiGroups: @@ -2277,6 +3232,14 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + labels: + app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.3.6-rc1 name: kyverno:webhook rules: - apiGroups: @@ -2321,6 +3284,14 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: + labels: + app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.3.6-rc1 name: kyverno:customresources roleRef: apiGroup: rbac.authorization.k8s.io @@ -2334,6 +3305,14 @@ subjects: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: + labels: + app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.3.6-rc1 name: kyverno:generatecontroller roleRef: apiGroup: rbac.authorization.k8s.io @@ -2347,6 +3326,14 @@ subjects: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: + labels: + app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.3.6-rc1 name: kyverno:policycontroller roleRef: apiGroup: rbac.authorization.k8s.io @@ -2360,6 +3347,14 @@ subjects: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: + labels: + app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.3.6-rc1 name: kyverno:userinfo roleRef: apiGroup: rbac.authorization.k8s.io @@ -2373,6 +3368,14 @@ subjects: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: + labels: + app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.3.6-rc1 name: kyverno:webhook roleRef: apiGroup: rbac.authorization.k8s.io @@ -2389,6 +3392,14 @@ data: resourceFilters: '[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][SelfSubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*][PolicyReport,*,*][ClusterPolicyReport,*,*]' kind: ConfigMap metadata: + labels: + app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.3.6-rc1 name: init-config namespace: kyverno --- @@ -2397,7 +3408,12 @@ kind: Service metadata: labels: app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.3.6-rc1 name: kyverno-svc namespace: kyverno spec: @@ -2406,14 +3422,18 @@ spec: targetPort: https selector: app: kyverno - app.kubernetes.io/name: kyverno --- apiVersion: apps/v1 kind: Deployment metadata: labels: app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.3.6-rc1 name: kyverno namespace: kyverno spec: @@ -2421,12 +3441,16 @@ spec: selector: matchLabels: app: kyverno - app.kubernetes.io/name: kyverno template: metadata: labels: app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.3.6-rc1 spec: containers: - args: diff --git a/definitions/k8s-resource/clusterrolebindings.yaml b/definitions/k8s-resource/clusterrolebindings.yaml index 2271a921c2..851e55209a 100644 --- a/definitions/k8s-resource/clusterrolebindings.yaml +++ b/definitions/k8s-resource/clusterrolebindings.yaml @@ -2,6 +2,8 @@ kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: + labels: + app: kyverno name: kyverno:webhook roleRef: apiGroup: rbac.authorization.k8s.io @@ -15,6 +17,8 @@ subjects: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: + labels: + app: kyverno name: kyverno:userinfo roleRef: apiGroup: rbac.authorization.k8s.io @@ -28,6 +32,8 @@ subjects: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: + labels: + app: kyverno name: kyverno:customresources roleRef: apiGroup: rbac.authorization.k8s.io @@ -41,6 +47,8 @@ subjects: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: + labels: + app: kyverno name: kyverno:policycontroller roleRef: apiGroup: rbac.authorization.k8s.io @@ -54,6 +62,8 @@ subjects: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: + labels: + app: kyverno name: kyverno:generatecontroller roleRef: apiGroup: rbac.authorization.k8s.io diff --git a/definitions/k8s-resource/clusterroles.yaml b/definitions/k8s-resource/clusterroles.yaml index 2edb483303..29687d1e60 100755 --- a/definitions/k8s-resource/clusterroles.yaml +++ b/definitions/k8s-resource/clusterroles.yaml @@ -2,16 +2,17 @@ kind: Namespace apiVersion: v1 metadata: - name: "kyverno" + labels: + app: kyverno + name: kyverno --- apiVersion: v1 kind: Service metadata: - namespace: kyverno - name: kyverno-svc labels: app: kyverno - app.kubernetes.io/name: kyverno + namespace: kyverno + name: kyverno-svc spec: ports: - port: 443 @@ -22,17 +23,20 @@ spec: targetPort: metrics-port selector: app: kyverno - app.kubernetes.io/name: kyverno --- apiVersion: v1 kind: ServiceAccount metadata: + labels: + app: kyverno name: kyverno-service-account namespace: kyverno --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + labels: + app: kyverno name: kyverno:webhook rules: # Dynamic creation of webhooks, events & certs @@ -78,6 +82,8 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + labels: + app: kyverno name: kyverno:userinfo rules: # get the roleRef for incoming api-request user @@ -97,6 +103,8 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + labels: + app: kyverno name: kyverno:customresources rules: # Kyverno CRs @@ -135,6 +143,8 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + labels: + app: kyverno name: kyverno:policycontroller rules: # background processing, identify all existing resources @@ -151,6 +161,8 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + labels: + app: kyverno name: kyverno:generatecontroller rules: # process generate rules to generate resources @@ -182,6 +194,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: + app: kyverno rbac.authorization.k8s.io/aggregate-to-admin: "true" name: kyverno:admin-policies rules: @@ -197,6 +210,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: + app: kyverno rbac.authorization.k8s.io/aggregate-to-admin: "true" name: kyverno:admin-policyreport rules: @@ -212,6 +226,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: + app: kyverno rbac.authorization.k8s.io/aggregate-to-admin: "true" name: kyverno:admin-reportchangerequest rules: diff --git a/definitions/k8s-resource/configmap.yaml b/definitions/k8s-resource/configmap.yaml index 2c1e5b7d23..11f51b6229 100755 --- a/definitions/k8s-resource/configmap.yaml +++ b/definitions/k8s-resource/configmap.yaml @@ -4,5 +4,7 @@ data: excludeGroupRole: 'system:serviceaccounts:kube-system,system:nodes,system:kube-scheduler' kind: ConfigMap metadata: + labels: + app: kyverno name: init-config namespace: kyverno diff --git a/definitions/kustomization.yaml b/definitions/kustomization.yaml index 700766361b..bc334f4b7c 100755 --- a/definitions/kustomization.yaml +++ b/definitions/kustomization.yaml @@ -1,10 +1,14 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization +transformers: + - labels.yaml + resources: - ./crds/ - ./manifest/ - ./k8s-resource/ + images: - name: ghcr.io/kyverno/kyverno newName: ghcr.io/kyverno/kyverno diff --git a/definitions/labels.yaml b/definitions/labels.yaml new file mode 100644 index 0000000000..d6ffd8df8c --- /dev/null +++ b/definitions/labels.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: builtin +kind: LabelTransformer +metadata: + name: labelTransformer +labels: + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.3.6-rc1 +fieldSpecs: +- path: metadata/labels + create: true +- kind: Deployment + path: spec/template/metadata/labels + create: true diff --git a/definitions/manifest/deployment.yaml b/definitions/manifest/deployment.yaml index 2ddc027091..2c184847c4 100755 --- a/definitions/manifest/deployment.yaml +++ b/definitions/manifest/deployment.yaml @@ -2,22 +2,19 @@ apiVersion: apps/v1 kind: Deployment metadata: - namespace: kyverno - name: kyverno labels: app: kyverno - app.kubernetes.io/name: kyverno + namespace: kyverno + name: kyverno spec: selector: matchLabels: app: kyverno - app.kubernetes.io/name: kyverno replicas: 1 template: metadata: labels: app: kyverno - app.kubernetes.io/name: kyverno spec: serviceAccountName: kyverno-service-account securityContext: diff --git a/definitions/release/install.yaml b/definitions/release/install.yaml index c1fbe64d02..94522460af 100755 --- a/definitions/release/install.yaml +++ b/definitions/release/install.yaml @@ -1,6 +1,14 @@ apiVersion: v1 kind: Namespace metadata: + labels: + app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.3.6-rc1 name: kyverno --- apiVersion: apiextensions.k8s.io/v1 @@ -9,6 +17,13 @@ metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.0 creationTimestamp: null + labels: + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.3.6-rc1 name: clusterpolicies.kyverno.io spec: group: kyverno.io @@ -31,13 +46,18 @@ spec: name: v1 schema: openAPIV3Schema: - description: ClusterPolicy declares validation, mutation, and generation behaviors for matching resources. + description: ClusterPolicy declares validation, mutation, and generation behaviors + for matching resources. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -45,26 +65,49 @@ spec: description: Spec declares policy behaviors. properties: background: - description: Background controls if rules are applied to existing resources during a background scan. Optional. Default value is "true". The value must be set to "false" if the policy rule uses variables that are only available in the admission review request (e.g. user name). + description: Background controls if rules are applied to existing + resources during a background scan. Optional. Default value is "true". + The value must be set to "false" if the policy rule uses variables + that are only available in the admission review request (e.g. user + name). type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains multiple rules and each rule can validate, mutate, or generate resources. + description: Rules is a list of Rule instances. A Policy contains + multiple rules and each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation control for matching resources. Each rules contains a match declaration to select resources, and an optional exclude declaration to specify which resources to exclude. + description: Rule defines a validation, mutation, or generation + control for matching resources. Each rules contains a match declaration + to select resources, and an optional exclude declaration to specify + which resources to exclude. properties: context: - description: Context defines variables and data sources that can be used during rule execution. + description: Context defines variables and data sources that + can be used during rule execution. items: - description: ContextEntry adds variables and data sources to a rule Context. Either a ConfigMap reference or a APILookup must be provided. + description: ContextEntry adds variables and data sources + to a rule Context. Either a ConfigMap reference or a APILookup + must be provided. properties: apiCall: - description: APICall defines an HTTP request to the Kubernetes API server. The JSON data retrieved is stored in the context. + description: APICall defines an HTTP request to the Kubernetes + API server. The JSON data retrieved is stored in the + context. properties: jmesPath: - description: JMESPath is an optional JSON Match Expression that can be used to transform the JSON response returned from the API server. For example a JMESPath of "items | length(@)" applied to the API server response to the URLPath "/apis/apps/v1/deployments" will return the total count of deployments across all namespaces. + description: JMESPath is an optional JSON Match Expression + that can be used to transform the JSON response + returned from the API server. For example a JMESPath + of "items | length(@)" applied to the API server + response to the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments across + all namespaces. type: string urlPath: - description: URLPath is the URL path to be used in the HTTP GET request to the Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used by the `kubectl get --raw` command. + description: URLPath is the URL path to be used in + the HTTP GET request to the Kubernetes API server + (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the + `kubectl get --raw` command. type: string required: - urlPath @@ -87,20 +130,29 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role. + description: ExcludeResources defines when this policy rule + should not be applied. The exclude criteria can include resource + information (e.g. kind, name, namespace, labels) and admission + review request information like the name or role. properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide role names for the user. + description: ClusterRoles is the list of cluster-wide role + names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about the resource being created or modified. + description: ResourceDescription contains information about + the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + description: Annotations is a map of annotations (key-value + pairs of type string). Annotation keys and values + support the wildcard characters "*" (matches zero + or many characters) and "?" (matches at least one + character). type: object kinds: description: Kinds is a list of resource kinds. @@ -108,24 +160,44 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Name is the name of the resource. The name + supports wildcard characters "*" (matches zero or + many characters) and "?" (at least one character). type: string namespaceSelector: - description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` + (matches zero or many characters) and `?` (matches + one character).Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. items: type: string type: array @@ -137,30 +209,54 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. type: object type: object namespaces: - description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces names. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'Selector is a label selector. Label keys + and values in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` (matches + one character). Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. items: type: string type: array @@ -172,31 +268,51 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names for the user. + description: Roles is the list of namespaced role names + for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like users, user groups, and service accounts. + description: Subjects is the list of subject names like + users, user groups, and service accounts. items: - description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + description: Subject contains a reference to the object + or user identities a role binding applies to. This + can either hold a direct API object reference, or a + value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + description: APIGroup holds the API group of the referenced + subject. Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User + and Group subjects. type: string kind: - description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + description: Kind of object being referenced. Values + defined by this API group are "User", "Group", and + "ServiceAccount". If the Authorizer does not recognized + the kind value, the Authorizer should report an + error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + description: Namespace of the referenced object. If + the object kind is non-namespace, such as "User" + or "Group", and this value is not empty the Authorizer + should report an error. type: string required: - kind @@ -211,7 +327,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to populate each generated resource. At most one of Data or Clone can be specified. If neither are provided, the generated resource will be created with default data only. + description: Clone specifies the source resource used to + populate each generated resource. At most one of Data + or Clone can be specified. If neither are provided, the + generated resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -221,7 +340,10 @@ spec: type: string type: object data: - description: Data provides the resource declaration used to populate each generated resource. At most one of Data or Clone must be specified. If neither are provided, the generated resource will be created with default data only. + description: Data provides the resource declaration used + to populate each generated resource. At most one of Data + or Clone must be specified. If neither are provided, the + generated resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -233,24 +355,40 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources should be kept in-sync with their source resource. If Synchronize is set to "true" changes to generated resources will be overwritten with resource data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. + description: Synchronize controls if generated resources + should be kept in-sync with their source resource. If + Synchronize is set to "true" changes to generated resources + will be overwritten with resource data from Data or the + resource specified in the Clone declaration. Optional. + Defaults to "false" if not specified. type: boolean type: object match: - description: MatchResources defines when this policy rule should be applied. The match criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required. + description: MatchResources defines when this policy rule should + be applied. The match criteria can include resource information + (e.g. kind, name, namespace, labels) and admission review + request information like the user name or role. At least one + kind is required. properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide role names for the user. + description: ClusterRoles is the list of cluster-wide role + names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about the resource being created or modified. Requires at least one tag to be specified when under MatchResources. + description: ResourceDescription contains information about + the resource being created or modified. Requires at least + one tag to be specified when under MatchResources. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + description: Annotations is a map of annotations (key-value + pairs of type string). Annotation keys and values + support the wildcard characters "*" (matches zero + or many characters) and "?" (matches at least one + character). type: object kinds: description: Kinds is a list of resource kinds. @@ -258,24 +396,44 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Name is the name of the resource. The name + supports wildcard characters "*" (matches zero or + many characters) and "?" (at least one character). type: string namespaceSelector: - description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` + (matches zero or many characters) and `?` (matches + one character).Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. items: type: string type: array @@ -287,30 +445,54 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. type: object type: object namespaces: - description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces names. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'Selector is a label selector. Label keys + and values in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` (matches + one character). Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. items: type: string type: array @@ -322,31 +504,51 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names for the user. + description: Roles is the list of namespaced role names + for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like users, user groups, and service accounts. + description: Subjects is the list of subject names like + users, user groups, and service accounts. items: - description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + description: Subject contains a reference to the object + or user identities a role binding applies to. This + can either hold a direct API object reference, or a + value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + description: APIGroup holds the API group of the referenced + subject. Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User + and Group subjects. type: string kind: - description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + description: Kind of object being referenced. Values + defined by this API group are "User", "Group", and + "ServiceAccount". If the Authorizer does not recognized + the kind value, the Authorizer should report an + error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + description: Namespace of the referenced object. If + the object kind is non-namespace, such as "User" + or "Group", and this value is not empty the Authorizer + should report an error. type: string required: - kind @@ -358,18 +560,25 @@ spec: description: Mutation is used to modify matching resources. properties: overlay: - description: Overlay specifies an overlay pattern to modify resources. DEPRECATED. Use PatchStrategicMerge instead. Scheduled for removal in release 1.5+. + description: Overlay specifies an overlay pattern to modify + resources. DEPRECATED. Use PatchStrategicMerge instead. + Scheduled for removal in release 1.5+. x-kubernetes-preserve-unknown-fields: true patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + description: PatchStrategicMerge is a strategic merge patch + used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patches: - description: Patches specifies a RFC 6902 JSON Patch to modify resources. DEPRECATED. Use PatchesJSON6902 instead. Scheduled for removal in release 1.5+. + description: Patches specifies a RFC 6902 JSON Patch to + modify resources. DEPRECATED. Use PatchesJSON6902 instead. + Scheduled for removal in release 1.5+. items: description: 'Patch is a RFC 6902 JSON Patch. See: https://tools.ietf.org/html/rfc6902' properties: op: - description: Operation specifies operations supported by JSON Patch. i.e:- add, replace and delete. + description: Operation specifies operations supported + by JSON Patch. i.e:- add, replace and delete. type: string path: description: Path specifies path of the resource. @@ -382,98 +591,133 @@ spec: type: array x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: PatchesJSON6902 is a list of RFC 6902 JSON + Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string type: object name: - description: Name is a label to identify the rule, It must be unique within the policy. + description: Name is a label to identify the rule, It must be + unique within the policy. maxLength: 63 type: string preconditions: - description: AnyAllConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. This too can be made to happen in a logical-manner where in some situation all the conditions need to pass and in some other situation, atleast one condition is enough to pass. For the sake of backwards compatibility, it can be populated with []kyverno.Condition. + description: AnyAllConditions enable variable-based conditional + rule execution. This is useful for finer control of when an + rule is applied. A condition can reference object data using + JMESPath notation. This too can be made to happen in a logical-manner + where in some situation all the conditions need to pass and + in some other situation, atleast one condition is enough to + pass. For the sake of backwards compatibility, it can be populated + with []kyverno.Condition. x-kubernetes-preserve-unknown-fields: true validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. At least one of the patterns must be satisfied for the validation rule to succeed. + description: AnyPattern specifies list of validation patterns. + At least one of the patterns must be satisfied for the + validation rule to succeed. x-kubernetes-preserve-unknown-fields: true deny: - description: Deny defines conditions to fail the validation rule. + description: Deny defines conditions to fail the validation + rule. properties: conditions: - description: specifies the set of conditions to deny in a logical manner For the sake of backwards compatibility, it can be populated with []kyverno.Condition. + description: specifies the set of conditions to deny + in a logical manner For the sake of backwards compatibility, + it can be populated with []kyverno.Condition. x-kubernetes-preserve-unknown-fields: true type: object message: - description: Message specifies a custom message to be displayed on failure. + description: Message specifies a custom message to be displayed + on failure. type: string pattern: - description: Pattern specifies an overlay-style pattern used to check resources. + description: Pattern specifies an overlay-style pattern + used to check resources. x-kubernetes-preserve-unknown-fields: true type: object type: object type: array validationFailureAction: - description: ValidationFailureAction controls if a validation policy rule failure should disallow the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. The default value is "audit". + description: ValidationFailureAction controls if a validation policy + rule failure should disallow the admission review request (enforce), + or allow (audit) the admission review request and report an error + in a policy report. Optional. The default value is "audit". type: string type: object status: description: Status contains policy runtime data. properties: averageExecutionTime: - description: AvgExecutionTime is the average time taken to process the policy rules on a resource. + description: AvgExecutionTime is the average time taken to process + the policy rules on a resource. type: string resourcesBlockedCount: - description: ResourcesBlockedCount is the total count of admission review requests that were blocked by this policy. + description: ResourcesBlockedCount is the total count of admission + review requests that were blocked by this policy. type: integer resourcesGeneratedCount: - description: ResourcesGeneratedCount is the total count of resources that were generated by this policy. + description: ResourcesGeneratedCount is the total count of resources + that were generated by this policy. type: integer resourcesMutatedCount: - description: ResourcesMutatedCount is the total count of resources that were mutated by this policy. + description: ResourcesMutatedCount is the total count of resources + that were mutated by this policy. type: integer ruleStatus: description: Rules provides per rule statistics items: - description: RuleStats provides statistics for an individual rule within a policy. + description: RuleStats provides statistics for an individual rule + within a policy. properties: appliedCount: - description: AppliedCount is the total number of times this rule was applied. + description: AppliedCount is the total number of times this + rule was applied. type: integer averageExecutionTime: - description: ExecutionTime is the average time taken to execute this rule. + description: ExecutionTime is the average time taken to execute + this rule. type: string failedCount: - description: FailedCount is the total count of policy error results for this rule. + description: FailedCount is the total count of policy error + results for this rule. type: integer resourcesBlockedCount: - description: ResourcesBlockedCount is the total count of admission review requests that were blocked by this rule. + description: ResourcesBlockedCount is the total count of admission + review requests that were blocked by this rule. type: integer resourcesGeneratedCount: - description: ResourcesGeneratedCount is the total count of resources that were generated by this rule. + description: ResourcesGeneratedCount is the total count of resources + that were generated by this rule. type: integer resourcesMutatedCount: - description: ResourcesMutatedCount is the total count of resources that were mutated by this rule. + description: ResourcesMutatedCount is the total count of resources + that were mutated by this rule. type: integer ruleName: description: Name is the rule name. type: string violationCount: - description: ViolationCount is the total count of policy failure results for this rule. + description: ViolationCount is the total count of policy failure + results for this rule. type: integer required: - ruleName type: object type: array rulesAppliedCount: - description: RulesAppliedCount is the total number of times this policy was applied. + description: RulesAppliedCount is the total number of times this policy + was applied. type: integer rulesFailedCount: - description: RulesFailedCount is the total count of policy execution errors for this policy. + description: RulesFailedCount is the total count of policy execution + errors for this policy. type: integer violationCount: - description: ViolationCount is the total count of policy failure results for this policy. + description: ViolationCount is the total count of policy failure results + for this policy. type: integer type: object required: @@ -496,6 +740,13 @@ metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.0 creationTimestamp: null + labels: + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.3.6-rc1 name: clusterpolicyreports.wgpolicyk8s.io spec: group: wgpolicyk8s.io @@ -538,20 +789,26 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: ClusterPolicyReport is the Schema for the clusterpolicyreports API + description: ClusterPolicyReport is the Schema for the clusterpolicyreports + API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual policy + description: PolicyReportResult provides the result for an individual + policy properties: category: description: Category indicates policy category @@ -559,30 +816,46 @@ spec: data: additionalProperties: type: string - description: Data provides additional information for the policy rule + description: Data provides additional information for the policy + rule type: object message: - description: Message is a short user friendly description of the policy rule + description: Message is a short user friendly description of the + policy rule type: string policy: description: Policy is the name of the policy type: string resourceSelector: - description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. + description: ResourceSelector is an optional selector for policy + results that apply to multiple resources. For example, a policy + result may apply to all pods that match a label. Either a Resource + or a ResourceSelector can be specified. If neither are provided, + the result is assumed to be for the policy report scope. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the + key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector applies + to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a + strategic merge patch. items: type: string type: array @@ -594,19 +867,58 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. type: object type: object resources: - description: Resources is an optional reference to the resource checked by the policy and rule + description: Resources is an optional reference to the resource + checked by the policy and rule items: - description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' + description: 'ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many + fields which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. + Invalid usage help. It is impossible to add specific help for + individual usage. In most embedded usages, there are particular restrictions + like, "must refer only to types A and B" or "UID not honored" + or "name must be restricted". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, + which makes it hard for users to predict what will happen. 4. + The fields are both imprecise and overly precise. Kind is not + a precise mapping to a URL. This can produce ambiguity during + interpretation and require a REST mapping. In most cases, the + dependency is on the group,resource tuple and the version + of the actual struct is irrelevant. 5. We cannot easily change + it. Because this type is embedded in many locations, updates + to this type will affect numerous schemas. Don''t make + new APIs embed an underspecified API type they do not control. + Instead of using this type, create a locally provided and used + type that is well-focused on your reference. For example, ServiceReferences + for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + .' properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead + of an entire object, this string should contain a valid + JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part + of an object. TODO: this design is not final and this field + is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -618,7 +930,8 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' @@ -652,13 +965,23 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. + a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire + object, this string should contain a valid JSON/Go field access + statement, such as desiredState.manifest.containers[2]. For example, + if the object reference is to a container within a pod, this would + take on a value like: "spec.containers{name}" (where "name" refers + to the name of the container that triggered the event) or if no + container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined + way of referencing a part of an object. TODO: this design is not + final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -670,28 +993,39 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is + made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. + description: ScopeSelector is an optional selector for multiple scopes + (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector + should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains + values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector applies + to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set + of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. If the operator + is In or NotIn, the values array must be non-empty. If the + operator is Exists or DoesNotExist, the values array must + be empty. This array is replaced during a strategic merge + patch. items: type: string type: array @@ -703,26 +1037,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be evaluated + description: Error provides the count of policies that could not be + evaluated type: integer fail: - description: Fail provides the count of policies whose requirements were not met + description: Fail provides the count of policies whose requirements + were not met type: integer pass: - description: Pass provides the count of policies whose requirements were met + description: Pass provides the count of policies whose requirements + were met type: integer skip: - description: Skip indicates the count of policies that were not selected for evaluation + description: Skip indicates the count of policies that were not selected + for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements were not met + description: Warn provides the count of unscored policies whose requirements + were not met type: integer type: object type: object @@ -742,6 +1084,13 @@ metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.0 creationTimestamp: null + labels: + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.3.6-rc1 name: clusterreportchangerequests.kyverno.io spec: group: kyverno.io @@ -784,20 +1133,26 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: ClusterReportChangeRequest is the Schema for the ClusterReportChangeRequests API + description: ClusterReportChangeRequest is the Schema for the ClusterReportChangeRequests + API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual policy + description: PolicyReportResult provides the result for an individual + policy properties: category: description: Category indicates policy category @@ -805,30 +1160,46 @@ spec: data: additionalProperties: type: string - description: Data provides additional information for the policy rule + description: Data provides additional information for the policy + rule type: object message: - description: Message is a short user friendly description of the policy rule + description: Message is a short user friendly description of the + policy rule type: string policy: description: Policy is the name of the policy type: string resourceSelector: - description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. + description: ResourceSelector is an optional selector for policy + results that apply to multiple resources. For example, a policy + result may apply to all pods that match a label. Either a Resource + or a ResourceSelector can be specified. If neither are provided, + the result is assumed to be for the policy report scope. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the + key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector applies + to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a + strategic merge patch. items: type: string type: array @@ -840,19 +1211,58 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. type: object type: object resources: - description: Resources is an optional reference to the resource checked by the policy and rule + description: Resources is an optional reference to the resource + checked by the policy and rule items: - description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' + description: 'ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many + fields which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. + Invalid usage help. It is impossible to add specific help for + individual usage. In most embedded usages, there are particular restrictions + like, "must refer only to types A and B" or "UID not honored" + or "name must be restricted". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, + which makes it hard for users to predict what will happen. 4. + The fields are both imprecise and overly precise. Kind is not + a precise mapping to a URL. This can produce ambiguity during + interpretation and require a REST mapping. In most cases, the + dependency is on the group,resource tuple and the version + of the actual struct is irrelevant. 5. We cannot easily change + it. Because this type is embedded in many locations, updates + to this type will affect numerous schemas. Don''t make + new APIs embed an underspecified API type they do not control. + Instead of using this type, create a locally provided and used + type that is well-focused on your reference. For example, ServiceReferences + for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + .' properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead + of an entire object, this string should contain a valid + JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part + of an object. TODO: this design is not final and this field + is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -864,7 +1274,8 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' @@ -898,13 +1309,23 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. + a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire + object, this string should contain a valid JSON/Go field access + statement, such as desiredState.manifest.containers[2]. For example, + if the object reference is to a container within a pod, this would + take on a value like: "spec.containers{name}" (where "name" refers + to the name of the container that triggered the event) or if no + container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined + way of referencing a part of an object. TODO: this design is not + final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -916,28 +1337,39 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is + made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. + description: ScopeSelector is an optional selector for multiple scopes + (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector + should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains + values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector applies + to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set + of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. If the operator + is In or NotIn, the values array must be non-empty. If the + operator is Exists or DoesNotExist, the values array must + be empty. This array is replaced during a strategic merge + patch. items: type: string type: array @@ -949,26 +1381,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be evaluated + description: Error provides the count of policies that could not be + evaluated type: integer fail: - description: Fail provides the count of policies whose requirements were not met + description: Fail provides the count of policies whose requirements + were not met type: integer pass: - description: Pass provides the count of policies whose requirements were met + description: Pass provides the count of policies whose requirements + were met type: integer skip: - description: Skip indicates the count of policies that were not selected for evaluation + description: Skip indicates the count of policies that were not selected + for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements were not met + description: Warn provides the count of unscored policies whose requirements + were not met type: integer type: object type: object @@ -988,6 +1428,13 @@ metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.0 creationTimestamp: null + labels: + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.3.6-rc1 name: generaterequests.kyverno.io spec: group: kyverno.io @@ -1025,10 +1472,14 @@ spec: description: GenerateRequest is a request to process generate rule. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -1039,10 +1490,12 @@ spec: description: Context ... properties: userInfo: - description: RequestInfo contains permission info carried in an admission request. + description: RequestInfo contains permission info carried in an + admission request. properties: clusterRoles: - description: ClusterRoles is a list of possible clusterRoles send the request. + description: ClusterRoles is a list of possible clusterRoles + send the request. items: type: string nullable: true @@ -1054,15 +1507,18 @@ spec: nullable: true type: array userInfo: - description: UserInfo is the userInfo carried in the admission request. + description: UserInfo is the userInfo carried in the admission + request. properties: extra: additionalProperties: - description: ExtraValue masks the value so protobuf can generate + description: ExtraValue masks the value so protobuf + can generate items: type: string type: array - description: Any additional information provided by the authenticator. + description: Any additional information provided by the + authenticator. type: object groups: description: The names of groups this user is a part of. @@ -1070,10 +1526,14 @@ spec: type: string type: array uid: - description: A unique value that identifies this user across time. If this user is deleted and another user by the same name is added, they will have different UIDs. + description: A unique value that identifies this user + across time. If this user is deleted and another user + by the same name is added, they will have different + UIDs. type: string username: - description: The name that uniquely identifies this user among all active users. + description: The name that uniquely identifies this user + among all active users. type: string type: object type: object @@ -1082,7 +1542,8 @@ spec: description: Specifies the name of the policy. type: string resource: - description: ResourceSpec is the information to identify the generate request. + description: ResourceSpec is the information to identify the generate + request. properties: apiVersion: description: APIVersion specifies resource apiVersion. @@ -1106,7 +1567,8 @@ spec: description: Status contains statistics related to generate request. properties: generatedResources: - description: This will track the resources that are generated by the generate Policy. Will be used during clean up resources. + description: This will track the resources that are generated by the + generate Policy. Will be used during clean up resources. items: description: ResourceSpec contains information to identify a resource. properties: @@ -1153,6 +1615,13 @@ metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.0 creationTimestamp: null + labels: + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.3.6-rc1 name: policies.kyverno.io spec: group: kyverno.io @@ -1175,13 +1644,19 @@ spec: name: v1 schema: openAPIV3Schema: - description: 'Policy declares validation, mutation, and generation behaviors for matching resources. See: https://kyverno.io/docs/writing-policies/ for more information.' + description: 'Policy declares validation, mutation, and generation behaviors + for matching resources. See: https://kyverno.io/docs/writing-policies/ for + more information.' properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -1189,26 +1664,49 @@ spec: description: Spec defines policy behaviors and contains one or rules. properties: background: - description: Background controls if rules are applied to existing resources during a background scan. Optional. Default value is "true". The value must be set to "false" if the policy rule uses variables that are only available in the admission review request (e.g. user name). + description: Background controls if rules are applied to existing + resources during a background scan. Optional. Default value is "true". + The value must be set to "false" if the policy rule uses variables + that are only available in the admission review request (e.g. user + name). type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains multiple rules and each rule can validate, mutate, or generate resources. + description: Rules is a list of Rule instances. A Policy contains + multiple rules and each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation control for matching resources. Each rules contains a match declaration to select resources, and an optional exclude declaration to specify which resources to exclude. + description: Rule defines a validation, mutation, or generation + control for matching resources. Each rules contains a match declaration + to select resources, and an optional exclude declaration to specify + which resources to exclude. properties: context: - description: Context defines variables and data sources that can be used during rule execution. + description: Context defines variables and data sources that + can be used during rule execution. items: - description: ContextEntry adds variables and data sources to a rule Context. Either a ConfigMap reference or a APILookup must be provided. + description: ContextEntry adds variables and data sources + to a rule Context. Either a ConfigMap reference or a APILookup + must be provided. properties: apiCall: - description: APICall defines an HTTP request to the Kubernetes API server. The JSON data retrieved is stored in the context. + description: APICall defines an HTTP request to the Kubernetes + API server. The JSON data retrieved is stored in the + context. properties: jmesPath: - description: JMESPath is an optional JSON Match Expression that can be used to transform the JSON response returned from the API server. For example a JMESPath of "items | length(@)" applied to the API server response to the URLPath "/apis/apps/v1/deployments" will return the total count of deployments across all namespaces. + description: JMESPath is an optional JSON Match Expression + that can be used to transform the JSON response + returned from the API server. For example a JMESPath + of "items | length(@)" applied to the API server + response to the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments across + all namespaces. type: string urlPath: - description: URLPath is the URL path to be used in the HTTP GET request to the Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used by the `kubectl get --raw` command. + description: URLPath is the URL path to be used in + the HTTP GET request to the Kubernetes API server + (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the + `kubectl get --raw` command. type: string required: - urlPath @@ -1231,20 +1729,29 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role. + description: ExcludeResources defines when this policy rule + should not be applied. The exclude criteria can include resource + information (e.g. kind, name, namespace, labels) and admission + review request information like the name or role. properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide role names for the user. + description: ClusterRoles is the list of cluster-wide role + names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about the resource being created or modified. + description: ResourceDescription contains information about + the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + description: Annotations is a map of annotations (key-value + pairs of type string). Annotation keys and values + support the wildcard characters "*" (matches zero + or many characters) and "?" (matches at least one + character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1252,24 +1759,44 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Name is the name of the resource. The name + supports wildcard characters "*" (matches zero or + many characters) and "?" (at least one character). type: string namespaceSelector: - description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` + (matches zero or many characters) and `?` (matches + one character).Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. items: type: string type: array @@ -1281,30 +1808,54 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. type: object type: object namespaces: - description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces names. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'Selector is a label selector. Label keys + and values in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` (matches + one character). Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. items: type: string type: array @@ -1316,31 +1867,51 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names for the user. + description: Roles is the list of namespaced role names + for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like users, user groups, and service accounts. + description: Subjects is the list of subject names like + users, user groups, and service accounts. items: - description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + description: Subject contains a reference to the object + or user identities a role binding applies to. This + can either hold a direct API object reference, or a + value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + description: APIGroup holds the API group of the referenced + subject. Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User + and Group subjects. type: string kind: - description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + description: Kind of object being referenced. Values + defined by this API group are "User", "Group", and + "ServiceAccount". If the Authorizer does not recognized + the kind value, the Authorizer should report an + error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + description: Namespace of the referenced object. If + the object kind is non-namespace, such as "User" + or "Group", and this value is not empty the Authorizer + should report an error. type: string required: - kind @@ -1355,7 +1926,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to populate each generated resource. At most one of Data or Clone can be specified. If neither are provided, the generated resource will be created with default data only. + description: Clone specifies the source resource used to + populate each generated resource. At most one of Data + or Clone can be specified. If neither are provided, the + generated resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -1365,7 +1939,10 @@ spec: type: string type: object data: - description: Data provides the resource declaration used to populate each generated resource. At most one of Data or Clone must be specified. If neither are provided, the generated resource will be created with default data only. + description: Data provides the resource declaration used + to populate each generated resource. At most one of Data + or Clone must be specified. If neither are provided, the + generated resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -1377,24 +1954,40 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources should be kept in-sync with their source resource. If Synchronize is set to "true" changes to generated resources will be overwritten with resource data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. + description: Synchronize controls if generated resources + should be kept in-sync with their source resource. If + Synchronize is set to "true" changes to generated resources + will be overwritten with resource data from Data or the + resource specified in the Clone declaration. Optional. + Defaults to "false" if not specified. type: boolean type: object match: - description: MatchResources defines when this policy rule should be applied. The match criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required. + description: MatchResources defines when this policy rule should + be applied. The match criteria can include resource information + (e.g. kind, name, namespace, labels) and admission review + request information like the user name or role. At least one + kind is required. properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide role names for the user. + description: ClusterRoles is the list of cluster-wide role + names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about the resource being created or modified. Requires at least one tag to be specified when under MatchResources. + description: ResourceDescription contains information about + the resource being created or modified. Requires at least + one tag to be specified when under MatchResources. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + description: Annotations is a map of annotations (key-value + pairs of type string). Annotation keys and values + support the wildcard characters "*" (matches zero + or many characters) and "?" (matches at least one + character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1402,24 +1995,44 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Name is the name of the resource. The name + supports wildcard characters "*" (matches zero or + many characters) and "?" (at least one character). type: string namespaceSelector: - description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` + (matches zero or many characters) and `?` (matches + one character).Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. items: type: string type: array @@ -1431,30 +2044,54 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. type: object type: object namespaces: - description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces names. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'Selector is a label selector. Label keys + and values in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` (matches + one character). Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. items: type: string type: array @@ -1466,31 +2103,51 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names for the user. + description: Roles is the list of namespaced role names + for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like users, user groups, and service accounts. + description: Subjects is the list of subject names like + users, user groups, and service accounts. items: - description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + description: Subject contains a reference to the object + or user identities a role binding applies to. This + can either hold a direct API object reference, or a + value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + description: APIGroup holds the API group of the referenced + subject. Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User + and Group subjects. type: string kind: - description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + description: Kind of object being referenced. Values + defined by this API group are "User", "Group", and + "ServiceAccount". If the Authorizer does not recognized + the kind value, the Authorizer should report an + error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + description: Namespace of the referenced object. If + the object kind is non-namespace, such as "User" + or "Group", and this value is not empty the Authorizer + should report an error. type: string required: - kind @@ -1502,18 +2159,25 @@ spec: description: Mutation is used to modify matching resources. properties: overlay: - description: Overlay specifies an overlay pattern to modify resources. DEPRECATED. Use PatchStrategicMerge instead. Scheduled for removal in release 1.5+. + description: Overlay specifies an overlay pattern to modify + resources. DEPRECATED. Use PatchStrategicMerge instead. + Scheduled for removal in release 1.5+. x-kubernetes-preserve-unknown-fields: true patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + description: PatchStrategicMerge is a strategic merge patch + used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patches: - description: Patches specifies a RFC 6902 JSON Patch to modify resources. DEPRECATED. Use PatchesJSON6902 instead. Scheduled for removal in release 1.5+. + description: Patches specifies a RFC 6902 JSON Patch to + modify resources. DEPRECATED. Use PatchesJSON6902 instead. + Scheduled for removal in release 1.5+. items: description: 'Patch is a RFC 6902 JSON Patch. See: https://tools.ietf.org/html/rfc6902' properties: op: - description: Operation specifies operations supported by JSON Patch. i.e:- add, replace and delete. + description: Operation specifies operations supported + by JSON Patch. i.e:- add, replace and delete. type: string path: description: Path specifies path of the resource. @@ -1526,98 +2190,133 @@ spec: type: array x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: PatchesJSON6902 is a list of RFC 6902 JSON + Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string type: object name: - description: Name is a label to identify the rule, It must be unique within the policy. + description: Name is a label to identify the rule, It must be + unique within the policy. maxLength: 63 type: string preconditions: - description: AnyAllConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. This too can be made to happen in a logical-manner where in some situation all the conditions need to pass and in some other situation, atleast one condition is enough to pass. For the sake of backwards compatibility, it can be populated with []kyverno.Condition. + description: AnyAllConditions enable variable-based conditional + rule execution. This is useful for finer control of when an + rule is applied. A condition can reference object data using + JMESPath notation. This too can be made to happen in a logical-manner + where in some situation all the conditions need to pass and + in some other situation, atleast one condition is enough to + pass. For the sake of backwards compatibility, it can be populated + with []kyverno.Condition. x-kubernetes-preserve-unknown-fields: true validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. At least one of the patterns must be satisfied for the validation rule to succeed. + description: AnyPattern specifies list of validation patterns. + At least one of the patterns must be satisfied for the + validation rule to succeed. x-kubernetes-preserve-unknown-fields: true deny: - description: Deny defines conditions to fail the validation rule. + description: Deny defines conditions to fail the validation + rule. properties: conditions: - description: specifies the set of conditions to deny in a logical manner For the sake of backwards compatibility, it can be populated with []kyverno.Condition. + description: specifies the set of conditions to deny + in a logical manner For the sake of backwards compatibility, + it can be populated with []kyverno.Condition. x-kubernetes-preserve-unknown-fields: true type: object message: - description: Message specifies a custom message to be displayed on failure. + description: Message specifies a custom message to be displayed + on failure. type: string pattern: - description: Pattern specifies an overlay-style pattern used to check resources. + description: Pattern specifies an overlay-style pattern + used to check resources. x-kubernetes-preserve-unknown-fields: true type: object type: object type: array validationFailureAction: - description: ValidationFailureAction controls if a validation policy rule failure should disallow the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. The default value is "audit". + description: ValidationFailureAction controls if a validation policy + rule failure should disallow the admission review request (enforce), + or allow (audit) the admission review request and report an error + in a policy report. Optional. The default value is "audit". type: string type: object status: description: Status contains policy runtime information. properties: averageExecutionTime: - description: AvgExecutionTime is the average time taken to process the policy rules on a resource. + description: AvgExecutionTime is the average time taken to process + the policy rules on a resource. type: string resourcesBlockedCount: - description: ResourcesBlockedCount is the total count of admission review requests that were blocked by this policy. + description: ResourcesBlockedCount is the total count of admission + review requests that were blocked by this policy. type: integer resourcesGeneratedCount: - description: ResourcesGeneratedCount is the total count of resources that were generated by this policy. + description: ResourcesGeneratedCount is the total count of resources + that were generated by this policy. type: integer resourcesMutatedCount: - description: ResourcesMutatedCount is the total count of resources that were mutated by this policy. + description: ResourcesMutatedCount is the total count of resources + that were mutated by this policy. type: integer ruleStatus: description: Rules provides per rule statistics items: - description: RuleStats provides statistics for an individual rule within a policy. + description: RuleStats provides statistics for an individual rule + within a policy. properties: appliedCount: - description: AppliedCount is the total number of times this rule was applied. + description: AppliedCount is the total number of times this + rule was applied. type: integer averageExecutionTime: - description: ExecutionTime is the average time taken to execute this rule. + description: ExecutionTime is the average time taken to execute + this rule. type: string failedCount: - description: FailedCount is the total count of policy error results for this rule. + description: FailedCount is the total count of policy error + results for this rule. type: integer resourcesBlockedCount: - description: ResourcesBlockedCount is the total count of admission review requests that were blocked by this rule. + description: ResourcesBlockedCount is the total count of admission + review requests that were blocked by this rule. type: integer resourcesGeneratedCount: - description: ResourcesGeneratedCount is the total count of resources that were generated by this rule. + description: ResourcesGeneratedCount is the total count of resources + that were generated by this rule. type: integer resourcesMutatedCount: - description: ResourcesMutatedCount is the total count of resources that were mutated by this rule. + description: ResourcesMutatedCount is the total count of resources + that were mutated by this rule. type: integer ruleName: description: Name is the rule name. type: string violationCount: - description: ViolationCount is the total count of policy failure results for this rule. + description: ViolationCount is the total count of policy failure + results for this rule. type: integer required: - ruleName type: object type: array rulesAppliedCount: - description: RulesAppliedCount is the total number of times this policy was applied. + description: RulesAppliedCount is the total number of times this policy + was applied. type: integer rulesFailedCount: - description: RulesFailedCount is the total count of policy execution errors for this policy. + description: RulesFailedCount is the total count of policy execution + errors for this policy. type: integer violationCount: - description: ViolationCount is the total count of policy failure results for this policy. + description: ViolationCount is the total count of policy failure results + for this policy. type: integer type: object required: @@ -1640,6 +2339,13 @@ metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.0 creationTimestamp: null + labels: + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.3.6-rc1 name: policyreports.wgpolicyk8s.io spec: group: wgpolicyk8s.io @@ -1685,17 +2391,22 @@ spec: description: PolicyReport is the Schema for the policyreports API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual policy + description: PolicyReportResult provides the result for an individual + policy properties: category: description: Category indicates policy category @@ -1703,30 +2414,46 @@ spec: data: additionalProperties: type: string - description: Data provides additional information for the policy rule + description: Data provides additional information for the policy + rule type: object message: - description: Message is a short user friendly description of the policy rule + description: Message is a short user friendly description of the + policy rule type: string policy: description: Policy is the name of the policy type: string resourceSelector: - description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. + description: ResourceSelector is an optional selector for policy + results that apply to multiple resources. For example, a policy + result may apply to all pods that match a label. Either a Resource + or a ResourceSelector can be specified. If neither are provided, + the result is assumed to be for the policy report scope. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the + key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector applies + to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a + strategic merge patch. items: type: string type: array @@ -1738,19 +2465,58 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. type: object type: object resources: - description: Resources is an optional reference to the resource checked by the policy and rule + description: Resources is an optional reference to the resource + checked by the policy and rule items: - description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' + description: 'ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many + fields which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. + Invalid usage help. It is impossible to add specific help for + individual usage. In most embedded usages, there are particular restrictions + like, "must refer only to types A and B" or "UID not honored" + or "name must be restricted". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, + which makes it hard for users to predict what will happen. 4. + The fields are both imprecise and overly precise. Kind is not + a precise mapping to a URL. This can produce ambiguity during + interpretation and require a REST mapping. In most cases, the + dependency is on the group,resource tuple and the version + of the actual struct is irrelevant. 5. We cannot easily change + it. Because this type is embedded in many locations, updates + to this type will affect numerous schemas. Don''t make + new APIs embed an underspecified API type they do not control. + Instead of using this type, create a locally provided and used + type that is well-focused on your reference. For example, ServiceReferences + for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + .' properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead + of an entire object, this string should contain a valid + JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part + of an object. TODO: this design is not final and this field + is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -1762,7 +2528,8 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' @@ -1796,13 +2563,23 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. + a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire + object, this string should contain a valid JSON/Go field access + statement, such as desiredState.manifest.containers[2]. For example, + if the object reference is to a container within a pod, this would + take on a value like: "spec.containers{name}" (where "name" refers + to the name of the container that triggered the event) or if no + container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined + way of referencing a part of an object. TODO: this design is not + final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -1814,28 +2591,39 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is + made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. + description: ScopeSelector is an optional selector for multiple scopes + (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector + should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains + values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector applies + to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set + of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. If the operator + is In or NotIn, the values array must be non-empty. If the + operator is Exists or DoesNotExist, the values array must + be empty. This array is replaced during a strategic merge + patch. items: type: string type: array @@ -1847,26 +2635,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be evaluated + description: Error provides the count of policies that could not be + evaluated type: integer fail: - description: Fail provides the count of policies whose requirements were not met + description: Fail provides the count of policies whose requirements + were not met type: integer pass: - description: Pass provides the count of policies whose requirements were met + description: Pass provides the count of policies whose requirements + were met type: integer skip: - description: Skip indicates the count of policies that were not selected for evaluation + description: Skip indicates the count of policies that were not selected + for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements were not met + description: Warn provides the count of unscored policies whose requirements + were not met type: integer type: object type: object @@ -1886,6 +2682,13 @@ metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.0 creationTimestamp: null + labels: + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.3.6-rc1 name: reportchangerequests.kyverno.io spec: group: kyverno.io @@ -1928,20 +2731,26 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: ReportChangeRequest is the Schema for the ReportChangeRequests API + description: ReportChangeRequest is the Schema for the ReportChangeRequests + API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual policy + description: PolicyReportResult provides the result for an individual + policy properties: category: description: Category indicates policy category @@ -1949,30 +2758,46 @@ spec: data: additionalProperties: type: string - description: Data provides additional information for the policy rule + description: Data provides additional information for the policy + rule type: object message: - description: Message is a short user friendly description of the policy rule + description: Message is a short user friendly description of the + policy rule type: string policy: description: Policy is the name of the policy type: string resourceSelector: - description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. + description: ResourceSelector is an optional selector for policy + results that apply to multiple resources. For example, a policy + result may apply to all pods that match a label. Either a Resource + or a ResourceSelector can be specified. If neither are provided, + the result is assumed to be for the policy report scope. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the + key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector applies + to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a + strategic merge patch. items: type: string type: array @@ -1984,19 +2809,58 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. type: object type: object resources: - description: Resources is an optional reference to the resource checked by the policy and rule + description: Resources is an optional reference to the resource + checked by the policy and rule items: - description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' + description: 'ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many + fields which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. + Invalid usage help. It is impossible to add specific help for + individual usage. In most embedded usages, there are particular restrictions + like, "must refer only to types A and B" or "UID not honored" + or "name must be restricted". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, + which makes it hard for users to predict what will happen. 4. + The fields are both imprecise and overly precise. Kind is not + a precise mapping to a URL. This can produce ambiguity during + interpretation and require a REST mapping. In most cases, the + dependency is on the group,resource tuple and the version + of the actual struct is irrelevant. 5. We cannot easily change + it. Because this type is embedded in many locations, updates + to this type will affect numerous schemas. Don''t make + new APIs embed an underspecified API type they do not control. + Instead of using this type, create a locally provided and used + type that is well-focused on your reference. For example, ServiceReferences + for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + .' properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead + of an entire object, this string should contain a valid + JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part + of an object. TODO: this design is not final and this field + is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -2008,7 +2872,8 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' @@ -2042,13 +2907,23 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. + a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire + object, this string should contain a valid JSON/Go field access + statement, such as desiredState.manifest.containers[2]. For example, + if the object reference is to a container within a pod, this would + take on a value like: "spec.containers{name}" (where "name" refers + to the name of the container that triggered the event) or if no + container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined + way of referencing a part of an object. TODO: this design is not + final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -2060,28 +2935,39 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is + made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. + description: ScopeSelector is an optional selector for multiple scopes + (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector + should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains + values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector applies + to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set + of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. If the operator + is In or NotIn, the values array must be non-empty. If the + operator is Exists or DoesNotExist, the values array must + be empty. This array is replaced during a strategic merge + patch. items: type: string type: array @@ -2093,26 +2979,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be evaluated + description: Error provides the count of policies that could not be + evaluated type: integer fail: - description: Fail provides the count of policies whose requirements were not met + description: Fail provides the count of policies whose requirements + were not met type: integer pass: - description: Pass provides the count of policies whose requirements were met + description: Pass provides the count of policies whose requirements + were met type: integer skip: - description: Skip indicates the count of policies that were not selected for evaluation + description: Skip indicates the count of policies that were not selected + for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements were not met + description: Warn provides the count of unscored policies whose requirements + were not met type: integer type: object type: object @@ -2129,6 +3023,14 @@ status: apiVersion: v1 kind: ServiceAccount metadata: + labels: + app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.3.6-rc1 name: kyverno-service-account namespace: kyverno --- @@ -2136,6 +3038,13 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: + app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.3.6-rc1 rbac.authorization.k8s.io/aggregate-to-admin: "true" name: kyverno:admin-policies rules: @@ -2151,6 +3060,13 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: + app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.3.6-rc1 rbac.authorization.k8s.io/aggregate-to-admin: "true" name: kyverno:admin-policyreport rules: @@ -2166,6 +3082,13 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: + app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.3.6-rc1 rbac.authorization.k8s.io/aggregate-to-admin: "true" name: kyverno:admin-reportchangerequest rules: @@ -2180,6 +3103,14 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + labels: + app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.3.6-rc1 name: kyverno:customresources rules: - apiGroups: @@ -2217,6 +3148,14 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + labels: + app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.3.6-rc1 name: kyverno:generatecontroller rules: - apiGroups: @@ -2244,6 +3183,14 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + app: kyverno + labels: + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.3.6-rc1 name: kyverno:policycontroller rules: - apiGroups: @@ -2259,6 +3206,14 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + labels: + app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.3.6-rc1 name: kyverno:userinfo rules: - apiGroups: @@ -2277,6 +3232,14 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + labels: + app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.3.6-rc1 name: kyverno:webhook rules: - apiGroups: @@ -2321,6 +3284,14 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: + labels: + app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.3.6-rc1 name: kyverno:customresources roleRef: apiGroup: rbac.authorization.k8s.io @@ -2334,6 +3305,14 @@ subjects: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: + labels: + app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.3.6-rc1 name: kyverno:generatecontroller roleRef: apiGroup: rbac.authorization.k8s.io @@ -2347,6 +3326,14 @@ subjects: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: + labels: + app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.3.6-rc1 name: kyverno:policycontroller roleRef: apiGroup: rbac.authorization.k8s.io @@ -2360,6 +3347,14 @@ subjects: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: + labels: + app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.3.6-rc1 name: kyverno:userinfo roleRef: apiGroup: rbac.authorization.k8s.io @@ -2373,6 +3368,14 @@ subjects: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: + labels: + app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.3.6-rc1 name: kyverno:webhook roleRef: apiGroup: rbac.authorization.k8s.io @@ -2389,6 +3392,14 @@ data: resourceFilters: '[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][SelfSubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*][PolicyReport,*,*][ClusterPolicyReport,*,*]' kind: ConfigMap metadata: + labels: + app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.3.6-rc1 name: init-config namespace: kyverno --- @@ -2397,7 +3408,12 @@ kind: Service metadata: labels: app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.3.6-rc1 name: kyverno-svc namespace: kyverno spec: @@ -2406,14 +3422,18 @@ spec: targetPort: https selector: app: kyverno - app.kubernetes.io/name: kyverno --- apiVersion: apps/v1 kind: Deployment metadata: labels: app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.3.6-rc1 name: kyverno namespace: kyverno spec: @@ -2421,12 +3441,16 @@ spec: selector: matchLabels: app: kyverno - app.kubernetes.io/name: kyverno template: metadata: labels: app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.3.6-rc1 spec: containers: - args: