From 63b03a8442bdd403cf9e71fdd5f8243e073b3bd1 Mon Sep 17 00:00:00 2001 From: Srikanth Iyengar Date: Sun, 4 Feb 2024 18:27:00 +0530 Subject: [PATCH] (docs) changed docs tool to kubernetes-sigs/reference-docs (#9212) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * (docs) updated gen-crd tool to reference-docs/genref Signed-off-by: Srikanth Iyengar * (docs) updated branch with recent docs Signed-off-by: Srikanth Iyengar * codegen Signed-off-by: Charles-Edouard Brétéché * codegen Signed-off-by: Charles-Edouard Brétéché * codegen Signed-off-by: Charles-Edouard Brétéché * (docs) codegen * fix Signed-off-by: Charles-Edouard Brétéché * codegen Signed-off-by: Charles-Edouard Brétéché --------- Signed-off-by: Srikanth Iyengar Signed-off-by: Charles-Edouard Brétéché Co-authored-by: Charles-Edouard Brétéché Co-authored-by: shuting --- Makefile | 22 +- .../cli/crd/kyverno_kubectl.v1alpha1.html | 2062 ++++ docs/user/config-api.yaml | 54 + docs/user/config-cli-api.yaml | 29 + docs/user/crd/kyverno.v1.html | 9073 +++++++++++++++++ docs/user/crd/kyverno.v1alpha2.html | 771 ++ docs/user/crd/kyverno.v1beta1.html | 1149 +++ docs/user/crd/kyverno.v2alpha1.html | 1523 +++ docs/user/crd/kyverno.v2beta1.html | 4836 +++++++++ .../crd/kyverno_policyreport.v1alpha2.html | 1012 ++ docs/user/html/members.tpl | 48 + docs/user/html/pkg.tpl | 56 + docs/user/html/type.tpl | 52 + 13 files changed, 20683 insertions(+), 4 deletions(-) create mode 100644 docs/user/cli/crd/kyverno_kubectl.v1alpha1.html create mode 100644 docs/user/config-api.yaml create mode 100644 docs/user/config-cli-api.yaml create mode 100644 docs/user/crd/kyverno.v1.html create mode 100644 docs/user/crd/kyverno.v1alpha2.html create mode 100644 docs/user/crd/kyverno.v1beta1.html create mode 100644 docs/user/crd/kyverno.v2alpha1.html create mode 100644 docs/user/crd/kyverno.v2beta1.html create mode 100644 docs/user/crd/kyverno_policyreport.v1alpha2.html create mode 100644 docs/user/html/members.tpl create mode 100644 docs/user/html/pkg.tpl create mode 100644 docs/user/html/type.tpl diff --git a/Makefile b/Makefile index 1638bbce22..62fcd69caa 100644 --- a/Makefile +++ b/Makefile @@ -48,6 +48,8 @@ APPLYCONFIGURATION_GEN ?= $(TOOLS_DIR)/applyconfiguration-gen CODE_GEN_VERSION ?= v0.28.0 GEN_CRD_API_REFERENCE_DOCS ?= $(TOOLS_DIR)/gen-crd-api-reference-docs GEN_CRD_API_REFERENCE_DOCS_VERSION ?= latest +GENREF ?= $(TOOLS_DIR)/genref +GENREF_VERSION ?= master GO_ACC ?= $(TOOLS_DIR)/go-acc GO_ACC_VERSION ?= latest GOIMPORTS ?= $(TOOLS_DIR)/goimports @@ -59,7 +61,7 @@ HELM_DOCS_VERSION ?= v1.11.0 KO ?= $(TOOLS_DIR)/ko KO_VERSION ?= v0.14.1 KUBE_VERSION ?= v1.25.0 -TOOLS := $(KIND) $(CONTROLLER_GEN) $(CLIENT_GEN) $(LISTER_GEN) $(INFORMER_GEN) $(OPENAPI_GEN) $(REGISTER_GEN) $(DEEPCOPY_GEN) $(DEFAULTER_GEN) $(APPLYCONFIGURATION_GEN) $(GEN_CRD_API_REFERENCE_DOCS) $(GO_ACC) $(GOIMPORTS) $(HELM) $(HELM_DOCS) $(KO) +TOOLS := $(KIND) $(CONTROLLER_GEN) $(CLIENT_GEN) $(LISTER_GEN) $(INFORMER_GEN) $(OPENAPI_GEN) $(REGISTER_GEN) $(DEEPCOPY_GEN) $(DEFAULTER_GEN) $(APPLYCONFIGURATION_GEN) $(GEN_CRD_API_REFERENCE_DOCS) $(GENREF) $(GO_ACC) $(GOIMPORTS) $(HELM) $(HELM_DOCS) $(KO) ifeq ($(GOOS), darwin) SED := gsed else @@ -111,6 +113,10 @@ $(GEN_CRD_API_REFERENCE_DOCS): @echo Install gen-crd-api-reference-docs... >&2 @GOBIN=$(TOOLS_DIR) go install github.com/ahmetb/gen-crd-api-reference-docs@$(GEN_CRD_API_REFERENCE_DOCS_VERSION) +$(GENREF): + @echo Install genref... >&2 + @GOBIN=$(TOOLS_DIR) go install github.com/kubernetes-sigs/reference-docs/genref@$(GENREF_VERSION) + $(GO_ACC): @echo Install go-acc... >&2 @GOBIN=$(TOOLS_DIR) go install github.com/ory/go-acc@$(GO_ACC_VERSION) @@ -520,7 +526,7 @@ codegen-helm-docs: ## Generate helm docs @docker run -v ${PWD}/charts:/work -w /work jnorwood/helm-docs:v1.11.0 -s file .PHONY: codegen-api-docs -codegen-api-docs: $(PACKAGE_SHIM) $(GEN_CRD_API_REFERENCE_DOCS) ## Generate API docs +codegen-api-docs: $(PACKAGE_SHIM) $(GEN_CRD_API_REFERENCE_DOCS) $(GENREF) ## Generate API docs @echo Generate api docs... >&2 @rm -rf docs/user/crd && mkdir -p docs/user/crd @GOPATH=$(GOPATH_SHIM) $(GEN_CRD_API_REFERENCE_DOCS) -v 4 \ @@ -528,9 +534,13 @@ codegen-api-docs: $(PACKAGE_SHIM) $(GEN_CRD_API_REFERENCE_DOCS) ## Generate API -config docs/user/config.json \ -template-dir docs/user/template \ -out-file docs/user/crd/index.html + @cd ./docs/user && GOPATH=$(GOPATH_SHIM) $(GENREF) \ + -c config-api.yaml \ + -o crd \ + -f html .PHONY: codegen-cli-api-docs -codegen-cli-api-docs: $(PACKAGE_SHIM) $(GEN_CRD_API_REFERENCE_DOCS) ## Generate CLI API docs +codegen-cli-api-docs: $(PACKAGE_SHIM) $(GEN_CRD_API_REFERENCE_DOCS) $(GENREF) ## Generate CLI API docs @echo Generate CLI api docs... >&2 @rm -rf docs/user/cli/crd && mkdir -p docs/user/cli/crd @GOPATH=$(GOPATH_SHIM) $(GEN_CRD_API_REFERENCE_DOCS) -v 4 \ @@ -538,6 +548,10 @@ codegen-cli-api-docs: $(PACKAGE_SHIM) $(GEN_CRD_API_REFERENCE_DOCS) ## Generate -config docs/user/config.json \ -template-dir docs/user/template \ -out-file docs/user/cli/crd/index.html + @cd ./docs/user && GOPATH=$(GOPATH_SHIM) $(GENREF) \ + -c config-cli-api.yaml \ + -o cli/crd \ + -f html .PHONY: codegen-cli-docs codegen-cli-docs: $(CLI_BIN) ## Generate CLI docs @@ -555,7 +569,7 @@ codegen-cli-crds: codegen-crds-kyverno ## Copy generated CRDs to embed in the CL @cp cmd/cli/kubectl-kyverno/config/crds/* cmd/cli/kubectl-kyverno/data/crds .PHONY: codegen-docs-all -codegen-docs-all: codegen-helm-docs codegen-cli-docs codegen-api-docs ## Generate all docs +codegen-docs-all: codegen-helm-docs codegen-cli-docs codegen-api-docs codegen-cli-api-docs ## Generate all docs .PHONY: codegen-fix-tests codegen-fix-tests: $(CLI_BIN) ## Fix CLI test files diff --git a/docs/user/cli/crd/kyverno_kubectl.v1alpha1.html b/docs/user/cli/crd/kyverno_kubectl.v1alpha1.html new file mode 100644 index 0000000000..5794dc0e9f --- /dev/null +++ b/docs/user/cli/crd/kyverno_kubectl.v1alpha1.html @@ -0,0 +1,2062 @@ + + + + + + + + + +
+ + + +

Package: cli.kyverno.io/v1alpha1

+

+ + + + + +

Resource Types:

+ + + + +

Test +

+ + + +

Test declares a test

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
apiVersion
string		cli.kyverno.io/v1alpha1
kind
string		Test
metadata + + * + +
+ + + + + meta/v1.ObjectMeta + + + 		+ + + + + + Refer to the Kubernetes API documentation for the fields of the + metadata field. + + + +
name + + * + +
+ + + + + string + + + 		+ + +

Name is the name of the test. +This field is deprecated, use metadata.name instead

+ + + + + +
policies + + * + +
+ + + + + []string + + + 		+ + +

Policies are the policies to be used in the test

+ + + + + +
resources + + * + +
+ + + + + []string + + + 		+ + +

Resources are the resource to be used in the test

+ + + + + +
variables + + * + +
+ + + + + string + + + 		+ + +

Variables is the values to be used in the test

+ + + + + +
userinfo + + * + +
+ + + + + string + + + 		+ + +

UserInfo is the user info to be used in the test

+ + + + + +
results + + * + +
+ + + + + + []TestResult + + + + 		+ + +

Results are the results to be checked in the test

+ + + + + +
checks + + * + +
+ + + + + + []CheckResult + + + + 		+ + +

Checks are the verifications to be checked in the test

+ + + + + +
values + + * + +
+ + + + + + ValuesSpec + + + + 		+ + +

Values are the values to be used in the test

+ + + + + +
exceptions + + * + +
+ + + + + []string + + + 		+ + +

Policy Exceptions are the policy exceptions to be used in the test

+ + + + + +
+ + +

UserInfo +

+ + + +

UserInfo declares user infos to be loaded by the Kyverno CLI

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
apiVersion
string		cli.kyverno.io/v1alpha1
kind
string		UserInfo
metadata + + * + +
+ + + + + meta/v1.ObjectMeta + + + 		+ + + + + + Refer to the Kubernetes API documentation for the fields of the + metadata field. + + + +
RequestInfo + + * + +
+ + + + + github.com/kyverno/kyverno/api/kyverno/v1beta1.RequestInfo + + + 		+ +

(Members of RequestInfo are embedded into this type.)

+ + +

RequestInfo declares user infos

+ + + + + +
+ + +

Values +

+ + + +

Values declares values to be loaded by the Kyverno CLI

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
apiVersion
string		cli.kyverno.io/v1alpha1
kind
string		Values
metadata + + * + +
+ + + + + meta/v1.ObjectMeta + + + 		+ + + + + + Refer to the Kubernetes API documentation for the fields of the + metadata field. + + + +
ValuesSpec + + * + +
+ + + + + + ValuesSpec + + + + 		+ +

(Members of ValuesSpec are embedded into this type.)

+ + +

ValuesSpec declares values

+ + + + + +
+ + +

CheckMatch +

+ + +

+ (Appears in: + CheckResult) +

+ + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
resource + + * + +
+ + + + + github.com/kyverno/kyverno-json/pkg/apis/v1alpha1.Any + + + 		+ + +

Resource filters engine responses

+ + + + + +
policy + + * + +
+ + + + + github.com/kyverno/kyverno-json/pkg/apis/v1alpha1.Any + + + 		+ + +

Policy filters engine responses

+ + + + + +
rule + + * + +
+ + + + + github.com/kyverno/kyverno-json/pkg/apis/v1alpha1.Any + + + 		+ + +

Rule filters rule responses

+ + + + + +
+ + +

CheckResult +

+ + +

+ (Appears in: + Test) +

+ + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
match + + * + +
+ + + + + + CheckMatch + + + + 		+ + +

Match tells how to match relevant rule responses

+ + + + + +
assert + + * + +
+ + + + + github.com/kyverno/kyverno-json/pkg/apis/v1alpha1.Any + + + 		+ + +

Assert contains assertion to be performed on the relevant rule responses

+ + + + + +
error + + * + +
+ + + + + github.com/kyverno/kyverno-json/pkg/apis/v1alpha1.Any + + + 		+ + +

Error contains negative assertion to be performed on the relevant rule responses

+ + + + + +
+ + +

NamespaceSelector +

+ + +

+ (Appears in: + ValuesSpec) +

+ + +

NamespaceSelector declares labels for a given namespace

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
name + + * + +
+ + + + + string + + + 		+ + +

Name is the namespace name

+ + + + + +
labels + + * + +
+ + + + + map[string]string + + + 		+ + +

Labels are the labels for the given namespace

+ + + + + +
+ + +

Policy +

+ + +

+ (Appears in: + ValuesSpec) +

+ + +

Policy declares values for a given policy

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
name + + * + +
+ + + + + string + + + 		+ + +

Name is the policy name

+ + + + + +
resources + + * + +
+ + + + + + []Resource + + + + 		+ + +

Resources are values for specific resources

+ + + + + +
rules + + * + +
+ + + + + + []Rule + + + + 		+ + +

Rules are values for specific policy rules

+ + + + + +
+ + +

Resource +

+ + +

+ (Appears in: + Policy) +

+ + +

Resource declares values for a given resource

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
name + + * + +
+ + + + + string + + + 		+ + +

Name is the name of the resource

+ + + + + +
values + + * + +
+ + + + + map[string]interface{} + + + 		+ + +

Values are the values for the given resource

+ + + + + +
+ + +

Rule +

+ + +

+ (Appears in: + Policy) +

+ + +

Rule declares values for a given policy rule

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
name + + * + +
+ + + + + string + + + 		+ + +

Name is the name of the ppolicy rule

+ + + + + +
values + + * + +
+ + + + + map[string]interface{} + + + 		+ + +

Values are the values for the given policy rule

+ + + + + +
foreachValues + + * + +
+ + + + + map[string][]interface{} + + + 		+ + +

ForeachValues are the foreach values for the given policy rule

+ + + + + +
+ + +

Subresource +

+ + +

+ (Appears in: + ValuesSpec) +

+ + +

Subresource declares subresource/parent resource mapping

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
subresource + + * + +
+ + + + + meta/v1.APIResource + + + 		+ + +

Subresource declares the subresource api

+ + + + + +
parentResource + + * + +
+ + + + + meta/v1.APIResource + + + 		+ + +

ParentResource declares the parent resource api

+ + + + + +
+ + +

TestResult +

+ + +

+ (Appears in: + Test) +

+ + +

TestResultBase declares a test result

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
TestResultBase + + * + +
+ + + + + + TestResultBase + + + + 		+ +

(Members of TestResultBase are embedded into this type.)

+ + + + + + + +
TestResultDeprecated + + * + +
+ + + + + + TestResultDeprecated + + + + 		+ +

(Members of TestResultDeprecated are embedded into this type.)

+ + + + + + + +
resources + + * + +
+ + + + + []string + + + 		+ + +

Resources gives us the list of resources on which the policy is going to be applied.

+ + + + + +
+ + +

TestResultBase +

+ + +

+ (Appears in: + TestResult) +

+ + +

TestResultBase declares a test result base fields

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
policy + + * + +
+ + + + + string + + + 		+ + +

Policy mentions the name of the policy.

+ + + + + +
rule + +
+ + + + + string + + + 		+ + +

Rule mentions the name of the rule in the policy. +It's required in case policy is a kyverno policy.

+ + + + + +
isValidatingAdmissionPolicy + +
+ + + + + bool + + + 		+ + +

IsValidatingAdmissionPolicy indicates if the policy is a validating admission policy. +It's required in case policy is a validating admission policy.

+ + + + + +
result + + * + +
+ + + + + github.com/kyverno/kyverno/api/policyreport/v1alpha2.PolicyResult + + + 		+ + +

Result mentions the result that the user is expecting. +Possible values are pass, fail and skip.

+ + + + + +
kind + + * + +
+ + + + + string + + + 		+ + +

Kind mentions the kind of the resource on which the policy is to be applied.

+ + + + + +
patchedResource + + * + +
+ + + + + string + + + 		+ + +

PatchedResource takes a resource configuration file in yaml format from +the user to compare it against the Kyverno mutated resource configuration.

+ + + + + +
generatedResource + + * + +
+ + + + + string + + + 		+ + +

GeneratedResource takes a resource configuration file in yaml format from +the user to compare it against the Kyverno generated resource configuration.

+ + + + + +
cloneSourceResource + + * + +
+ + + + + string + + + 		+ + +

CloneSourceResource takes the resource configuration file in yaml format +from the user which is meant to be cloned by the generate rule.

+ + + + + +
+ + +

TestResultDeprecated +

+ + +

+ (Appears in: + TestResult) +

+ + +

TestResultBase declares a test result deprecated fields

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
status + + * + +
+ + + + + github.com/kyverno/kyverno/api/policyreport/v1alpha2.PolicyResult + + + 		+ + +

Status mentions the status that the user is expecting. +Possible values are pass, fail and skip. +This is DEPRECATED, use Result instead.

+ + + + + +
resource + + * + +
+ + + + + string + + + 		+ + +

Resource mentions the name of the resource on which the policy is to be applied. +This is DEPRECATED, use Resources instead.

+ + + + + +
namespace + + * + +
+ + + + + string + + + 		+ + +

Namespace mentions the namespace of the policy which has namespace scope. +This is DEPRECATED, use a name in the form <namespace>/<name> for policies and/or resources instead.

+ + + + + +
+ + +

ValuesSpec +

+ + +

+ (Appears in: + Test, + Values) +

+ + +

ValuesSpec declares values to be loaded by the Kyverno CLI

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
globalValues + + * + +
+ + + + + map[string]interface{} + + + 		+ + +

GlobalValues are the global values

+ + + + + +
policies + + * + +
+ + + + + + []Policy + + + + 		+ + +

Policies are the policy values

+ + + + + +
namespaceSelector + + * + +
+ + + + + + []NamespaceSelector + + + + 		+ + +

NamespaceSelectors are the namespace labels

+ + + + + +
subresources + + * + +
+ + + + + + []Subresource + + + + 		+ + +

Subresources are the subresource/parent resource mappings

+ + + + + +
+ + + +
+ +
+ + diff --git a/docs/user/config-api.yaml b/docs/user/config-api.yaml new file mode 100644 index 0000000000..cc153c659b --- /dev/null +++ b/docs/user/config-api.yaml @@ -0,0 +1,54 @@ +hiddenMemberFields: + - "TypeMeta" + +externalPackages: + - match: ^k8s\\.io/apimachinery/pkg/apis/meta/v1\\.Duration$ + target: https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#Duration + - match: ^k8s\\.io/(api|apimachinery|apiextensions-apiserver/pkg/apis)/ + target: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#{{lower .TypeIdentifier}}-{{arrIndex .PackageSegments -1}}-{{arrIndex .PackageSegments -2}} + - match: ^github\\.com/knative/pkg/apis/duck/ + target: https://godoc.org/github.com/knative/pkg/apis/duck/{{arrIndex .PackageSegments -1}}#{{.TypeIdentifier}} + +hideTypePatterns: + - "ParseError$" + - "List$" + +markdownDisabled: false + +stripPrefix: + - k8s.io/api/ + - k8s.io/apimachinery/pkg/apis/ + - github.com/tengqm/kubeconfig/config/kubeadm/v1beta2. + - github.com/tengqm/kubeconfig/config/kubeadm/v1beta3. + - github.com/tengqm/kubeconfig/config/bootstraptoken/v1. + +apis: + - name: kyverno + title: kyverno (v1) + package: github.com/kyverno/kyverno + path: api/kyverno/v1 + + - name: kyverno + title: kyverno (v1alpha2) + package: github.com/kyverno/kyverno + path: api/kyverno/v1alpha2 + + - name: kyverno + title: kyverno (v2alpha1) + package: github.com/kyverno/kyverno + path: api/kyverno/v2alpha1 + + - name: kyverno + title: kyverno (v1beta1) + package: github.com/kyverno/kyverno + path: api/kyverno/v1beta1 + + - name: kyverno + title: kyverno (v2beta1) + package: github.com/kyverno/kyverno + path: api/kyverno/v2beta1 + + - name: kyverno_policyreport + title: kyverno policy report (v1alpha2) + package: github.com/kyverno/kyverno + path: api/policyreport/v1alpha2 diff --git a/docs/user/config-cli-api.yaml b/docs/user/config-cli-api.yaml new file mode 100644 index 0000000000..02c6479ab1 --- /dev/null +++ b/docs/user/config-cli-api.yaml @@ -0,0 +1,29 @@ +hiddenMemberFields: + - "TypeMeta" + +externalPackages: + - match: ^k8s\\.io/apimachinery/pkg/apis/meta/v1\\.Duration$ + target: https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#Duration + - match: ^k8s\\.io/(api|apimachinery|apiextensions-apiserver/pkg/apis)/ + target: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#{{lower .TypeIdentifier}}-{{arrIndex .PackageSegments -1}}-{{arrIndex .PackageSegments -2}} + - match: ^github\\.com/knative/pkg/apis/duck/ + target: https://godoc.org/github.com/knative/pkg/apis/duck/{{arrIndex .PackageSegments -1}}#{{.TypeIdentifier}} + +hideTypePatterns: + - "ParseError$" + - "List$" + +markdownDisabled: false + +stripPrefix: + - k8s.io/api/ + - k8s.io/apimachinery/pkg/apis/ + - github.com/tengqm/kubeconfig/config/kubeadm/v1beta2. + - github.com/tengqm/kubeconfig/config/kubeadm/v1beta3. + - github.com/tengqm/kubeconfig/config/bootstraptoken/v1. + +apis: + - name: kyverno_kubectl + title: cli (v1alpha1) + package: github.com/kyverno/kyverno + path: cmd/cli/kubectl-kyverno/apis/v1alpha1 diff --git a/docs/user/crd/kyverno.v1.html b/docs/user/crd/kyverno.v1.html new file mode 100644 index 0000000000..514d8a2ae7 --- /dev/null +++ b/docs/user/crd/kyverno.v1.html @@ -0,0 +1,9073 @@ + + + + + + + + + +
+ + + +

Package: kyverno.io/v1

+

+ + + + + +

Resource Types:

+ + + + +

ClusterPolicy +

+ + + +

ClusterPolicy declares validation, mutation, and generation behaviors for matching resources.

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
apiVersion
string		kyverno.io/v1
kind
string		ClusterPolicy
metadata + + * + +
+ + + + + meta/v1.ObjectMeta + + + 		+ + + + + + Refer to the Kubernetes API documentation for the fields of the + metadata field. + + + +
spec + + * + +
+ + + + + + Spec + + + + 		+ + +

Spec declares policy behaviors.

+ + + + + +
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
rules + + * + +
+ + + + + + []Rule + + + + 		+ + +

Rules is a list of Rule instances. A Policy contains multiple rules and +each rule can validate, mutate, or generate resources.

+ + + + + +
applyRules + +
+ + + + + + ApplyRulesType + + + + 		+ + +

ApplyRules controls how rules in a policy are applied. Rule are processed in +the order of declaration. When set to One processing stops after a rule has +been applied i.e. the rule matches and results in a pass, fail, or error. When +set to All all rules in the policy are processed. The default is All.

+ + + + + +
failurePolicy + +
+ + + + + + FailurePolicyType + + + + 		+ + +

FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. +Rules within the same policy share the same failure behavior. +This field should not be accessed directly, instead GetFailurePolicy() should be used. +Allowed values are Ignore or Fail. Defaults to Fail.

+ + + + + +
validationFailureAction + +
+ + + + + + ValidationFailureAction + + + + 		+ + +

ValidationFailureAction defines if a validation policy rule violation should block +the admission review request (enforce), or allow (audit) the admission review request +and report an error in a policy report. Optional. +Allowed values are audit or enforce. The default value is "Audit".

+ + + + + +
validationFailureActionOverrides + +
+ + + + + + []ValidationFailureActionOverride + + + + 		+ + +

ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction +namespace-wise. It overrides ValidationFailureAction for the specified namespaces.

+ + + + + +
admission + +
+ + + + + bool + + + 		+ + +

Admission controls if rules are applied during admission. +Optional. Default value is "true".

+ + + + + +
background + +
+ + + + + bool + + + 		+ + +

Background controls if rules are applied to existing resources during a background scan. +Optional. Default value is "true". The value must be set to "false" if the policy rule +uses variables that are only available in the admission review request (e.g. user name).

+ + + + + +
schemaValidation + + * + +
+ + + + + bool + + + 		+ + +

Deprecated.

+ + + + + +
webhookTimeoutSeconds + + * + +
+ + + + + int32 + + + 		+ + +

WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. +After the configured time expires, the admission request may fail, or may simply ignore the policy results, +based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.

+ + + + + +
mutateExistingOnPolicyUpdate + +
+ + + + + bool + + + 		+ + +

MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. +Default value is "false".

+ + + + + +
generateExistingOnPolicyUpdate + +
+ + + + + bool + + + 		+ + +

Deprecated, use generateExisting instead

+ + + + + +
generateExisting + +
+ + + + + bool + + + 		+ + +

GenerateExisting controls whether to trigger generate rule in existing resources +If is set to "true" generate rule will be triggered and applied to existing matched resources. +Defaults to "false" if not specified.

+ + + + + +
useServerSideApply + +
+ + + + + bool + + + 		+ + +

UseServerSideApply controls whether to use server-side apply for generate rules +If is set to "true" create & update for generate rules will use apply instead of create/update. +Defaults to "false" if not specified.

+ + + + + +
webhookConfiguration + +
+ + + + + + WebhookConfiguration + + + + 		+ + +

WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration. +Requires Kubernetes 1.27 or later.

+ + + + + +
+ +
status + +
+ + + + + + PolicyStatus + + + + 		+ + +

Status contains policy runtime data.

+ + + + + +
+ + +

Policy +

+ + + +

Policy declares validation, mutation, and generation behaviors for matching resources. +See: https://kyverno.io/docs/writing-policies/ for more information.

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
apiVersion
string		kyverno.io/v1
kind
string		Policy
metadata + + * + +
+ + + + + meta/v1.ObjectMeta + + + 		+ + + + + + Refer to the Kubernetes API documentation for the fields of the + metadata field. + + + +
spec + + * + +
+ + + + + + Spec + + + + 		+ + +

Spec defines policy behaviors and contains one or more rules.

+ + + + + +
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
rules + + * + +
+ + + + + + []Rule + + + + 		+ + +

Rules is a list of Rule instances. A Policy contains multiple rules and +each rule can validate, mutate, or generate resources.

+ + + + + +
applyRules + +
+ + + + + + ApplyRulesType + + + + 		+ + +

ApplyRules controls how rules in a policy are applied. Rule are processed in +the order of declaration. When set to One processing stops after a rule has +been applied i.e. the rule matches and results in a pass, fail, or error. When +set to All all rules in the policy are processed. The default is All.

+ + + + + +
failurePolicy + +
+ + + + + + FailurePolicyType + + + + 		+ + +

FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. +Rules within the same policy share the same failure behavior. +This field should not be accessed directly, instead GetFailurePolicy() should be used. +Allowed values are Ignore or Fail. Defaults to Fail.

+ + + + + +
validationFailureAction + +
+ + + + + + ValidationFailureAction + + + + 		+ + +

ValidationFailureAction defines if a validation policy rule violation should block +the admission review request (enforce), or allow (audit) the admission review request +and report an error in a policy report. Optional. +Allowed values are audit or enforce. The default value is "Audit".

+ + + + + +
validationFailureActionOverrides + +
+ + + + + + []ValidationFailureActionOverride + + + + 		+ + +

ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction +namespace-wise. It overrides ValidationFailureAction for the specified namespaces.

+ + + + + +
admission + +
+ + + + + bool + + + 		+ + +

Admission controls if rules are applied during admission. +Optional. Default value is "true".

+ + + + + +
background + +
+ + + + + bool + + + 		+ + +

Background controls if rules are applied to existing resources during a background scan. +Optional. Default value is "true". The value must be set to "false" if the policy rule +uses variables that are only available in the admission review request (e.g. user name).

+ + + + + +
schemaValidation + + * + +
+ + + + + bool + + + 		+ + +

Deprecated.

+ + + + + +
webhookTimeoutSeconds + + * + +
+ + + + + int32 + + + 		+ + +

WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. +After the configured time expires, the admission request may fail, or may simply ignore the policy results, +based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.

+ + + + + +
mutateExistingOnPolicyUpdate + +
+ + + + + bool + + + 		+ + +

MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. +Default value is "false".

+ + + + + +
generateExistingOnPolicyUpdate + +
+ + + + + bool + + + 		+ + +

Deprecated, use generateExisting instead

+ + + + + +
generateExisting + +
+ + + + + bool + + + 		+ + +

GenerateExisting controls whether to trigger generate rule in existing resources +If is set to "true" generate rule will be triggered and applied to existing matched resources. +Defaults to "false" if not specified.

+ + + + + +
useServerSideApply + +
+ + + + + bool + + + 		+ + +

UseServerSideApply controls whether to use server-side apply for generate rules +If is set to "true" create & update for generate rules will use apply instead of create/update. +Defaults to "false" if not specified.

+ + + + + +
webhookConfiguration + +
+ + + + + + WebhookConfiguration + + + + 		+ + +

WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration. +Requires Kubernetes 1.27 or later.

+ + + + + +
+ +
status + +
+ + + + + + PolicyStatus + + + + 		+ + +

Deprecated. Policy metrics are available via the metrics endpoint

+ + + + + +
+ + +

APICall +

+ + +

+ (Appears in: + ContextAPICall) +

+ + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
urlPath + + * + +
+ + + + + string + + + 		+ + +

URLPath is the URL path to be used in the HTTP GET or POST request to the +Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). +The format required is the same format used by the kubectl get --raw command. +See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls +for details.

+ + + + + +
method + + * + +
+ + + + + + Method + + + + 		+ + +

Method is the HTTP request type (GET or POST).

+ + + + + +
data + + * + +
+ + + + + + []RequestData + + + + 		+ + +

Data specifies the POST data sent to the server.

+ + + + + +
service + + * + +
+ + + + + + ServiceCall + + + + 		+ + +

Service is an API call to a JSON web service

+ + + + + +
+ + +

AdmissionOperation + (string alias)

+ + +

+ (Appears in: + ResourceDescription) +

+ + +

AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.

+

+ + + +

AnyAllConditions +

+ + +

+ (Appears in: + Attestation, + ForEachMutation, + ForEachValidation) +

+ + +

AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. +AnyConditions get fulfilled when at least one of its sub-conditions passes. +AllConditions get fulfilled only when all of its sub-conditions pass.

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
any + +
+ + + + + + []Condition + + + + 		+ + +

AnyConditions enable variable-based conditional rule execution. This is useful for +finer control of when an rule is applied. A condition can reference object data +using JMESPath notation. +Here, at least one of the conditions need to pass

+ + + + + +
all + +
+ + + + + + []Condition + + + + 		+ + +

AllConditions enable variable-based conditional rule execution. This is useful for +finer control of when an rule is applied. A condition can reference object data +using JMESPath notation. +Here, all of the conditions need to pass

+ + + + + +
+ + +

ApplyRulesType + (string alias)

+ + +

+ (Appears in: + Spec) +

+ + +

ApplyRulesType controls whether processing stops after one rule is applied or all rules are applied.

+

+ + + +

Attestation +

+ + +

+ (Appears in: + ImageVerification) +

+ + +

Attestation are checks for signed in-toto Statements that are used to verify the image. +See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the +OCI registry and decodes them into a list of Statements.

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
predicateType + + * + +
+ + + + + string + + + 		+ + +

Deprecated in favour of 'Type', to be removed soon

+ + + + + +
type + + * + +
+ + + + + string + + + 		+ + +

Type defines the type of attestation contained within the Statement.

+ + + + + +
attestors + + * + +
+ + + + + + []AttestorSet + + + + 		+ + +

Attestors specify the required attestors (i.e. authorities).

+ + + + + +
conditions + + * + +
+ + + + + + []AnyAllConditions + + + + 		+ + +

Conditions are used to verify attributes within a Predicate. If no Conditions are specified +the attestation check is satisfied as long there are predicates that match the predicate type.

+ + + + + +
+ + +

Attestor +

+ + +

+ (Appears in: + AttestorSet) +

+ + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
keys + + * + +
+ + + + + + StaticKeyAttestor + + + + 		+ + +

Keys specifies one or more public keys.

+ + + + + +
certificates + + * + +
+ + + + + + CertificateAttestor + + + + 		+ + +

Certificates specifies one or more certificates.

+ + + + + +
keyless + + * + +
+ + + + + + KeylessAttestor + + + + 		+ + +

Keyless is a set of attribute used to verify a Sigstore keyless attestor. +See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.

+ + + + + +
attestor + + * + +
+ + + + + k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSON + + + 		+ + +

Attestor is a nested set of Attestor used to specify a more complex set of match authorities.

+ + + + + +
annotations + + * + +
+ + + + + map[string]string + + + 		+ + +

Annotations are used for image verification. +Every specified key-value pair must exist and match in the verified payload. +The payload may contain other key-value pairs.

+ + + + + +
repository + + * + +
+ + + + + string + + + 		+ + +

Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. +If specified Repository will override other OCI image repository locations for this Attestor.

+ + + + + +
+ + +

AttestorSet +

+ + +

+ (Appears in: + Attestation, + ImageVerification, + Manifests) +

+ + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
count + + * + +
+ + + + + int + + + 		+ + +

Count specifies the required number of entries that must match. If the count is null, all entries must match +(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a +value N, then N must be less than or equal to the size of entries, and at least N entries must match.

+ + + + + +
entries + + * + +
+ + + + + + []Attestor + + + + 		+ + +

Entries contains the available attestors. An attestor can be a static key, +attributes for keyless verification, or a nested attestor declaration.

+ + + + + +
+ + +

AutogenStatus +

+ + +

+ (Appears in: + PolicyStatus) +

+ + +

AutogenStatus contains autogen status information.

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
rules + + * + +
+ + + + + + []Rule + + + + 		+ + +

Rules is a list of Rule instances. It contains auto generated rules added for pod controllers

+ + + + + +
+ + +

CEL +

+ + +

+ (Appears in: + Validation) +

+ + +

CEL allows validation checks using the Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
expressions + + * + +
+ + + + + []admissionregistration/v1alpha1.Validation + + + 		+ + +

Expressions is a list of CELExpression types.

+ + + + + +
paramKind + +
+ + + + + admissionregistration/v1alpha1.ParamKind + + + 		+ + +

ParamKind is a tuple of Group Kind and Version.

+ + + + + +
paramRef + +
+ + + + + admissionregistration/v1alpha1.ParamRef + + + 		+ + +

ParamRef references a parameter resource.

+ + + + + +
auditAnnotations + +
+ + + + + []admissionregistration/v1alpha1.AuditAnnotation + + + 		+ + +

AuditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request.

+ + + + + +
variables + +
+ + + + + []admissionregistration/v1alpha1.Variable + + + 		+ + +

Variables contain definitions of variables that can be used in composition of other expressions. +Each variable is defined as a named CEL expression. +The variables defined here will be available under variables in other expressions of the policy.

+ + + + + +
+ + +

CTLog +

+ + +

+ (Appears in: + CertificateAttestor, + KeylessAttestor, + StaticKeyAttestor) +

+ + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
ignoreSCT + + * + +
+ + + + + bool + + + 		+ + +

IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate +timestamp. Default is false. Set to true if this was opted out during signing.

+ + + + + +
pubkey + + * + +
+ + + + + string + + + 		+ + +

PubKey, if set, is used to validate SCTs against a custom source.

+ + + + + +
+ + +

CertificateAttestor +

+ + +

+ (Appears in: + Attestor) +

+ + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
cert + + * + +
+ + + + + string + + + 		+ + +

Cert is an optional PEM-encoded public certificate.

+ + + + + +
certChain + + * + +
+ + + + + string + + + 		+ + +

CertChain is an optional PEM encoded set of certificates used to verify.

+ + + + + +
rekor + + * + +
+ + + + + + Rekor + + + + 		+ + +

Rekor provides configuration for the Rekor transparency log service. If an empty object +is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.

+ + + + + +
ctlog + + * + +
+ + + + + + CTLog + + + + 		+ + +

CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate +Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.

+ + + + + +
+ + +

CloneFrom +

+ + +

+ (Appears in: + Generation) +

+ + +

CloneFrom provides the location of the source resource used to generate target resources. +The resource kind is derived from the match criteria.

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
namespace + +
+ + + + + string + + + 		+ + +

Namespace specifies source resource namespace.

+ + + + + +
name + + * + +
+ + + + + string + + + 		+ + +

Name specifies name of the resource.

+ + + + + +
+ + +

Condition +

+ + +

+ (Appears in: + AnyAllConditions) +

+ + +

Condition defines variable-based conditional criteria for rule execution.

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
key + + * + +
+ + + + + k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSON + + + 		+ + +

Key is the context entry (using JMESPath) for conditional rule evaluation.

+ + + + + +
operator + + * + +
+ + + + + + ConditionOperator + + + + 		+ + +

Operator is the conditional operation to perform. Valid operators are: +Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, +GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, +DurationLessThanOrEquals, DurationLessThan

+ + + + + +
value + +
+ + + + + k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSON + + + 		+ + +

Value is the conditional value, or set of values. The values can be fixed set +or can be variables declared using JMESPath.

+ + + + + +
message + + * + +
+ + + + + string + + + 		+ + +

Message is an optional display message

+ + + + + +
+ + +

ConditionOperator + (string alias)

+ + +

+ (Appears in: + Condition) +

+ + +

ConditionOperator is the operation performed on condition key and value.

+

+ + + +

ConfigMapReference +

+ + +

+ (Appears in: + ContextEntry) +

+ + +

ConfigMapReference refers to a ConfigMap

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
name + + * + +
+ + + + + string + + + 		+ + +

Name is the ConfigMap name.

+ + + + + +
namespace + + * + +
+ + + + + string + + + 		+ + +

Namespace is the ConfigMap namespace.

+ + + + + +
+ + +

ContextAPICall +

+ + +

+ (Appears in: + ContextEntry) +

+ + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
APICall + + * + +
+ + + + + + APICall + + + + 		+ +

(Members of APICall are embedded into this type.)

+ + + + + + + +
jmesPath + + * + +
+ + + + + string + + + 		+ + +

JMESPath is an optional JSON Match Expression that can be used to +transform the JSON response returned from the server. For example +a JMESPath of "items | length(@)" applied to the API server response +for the URLPath "/apis/apps/v1/deployments" will return the total count +of deployments across all namespaces.

+ + + + + +
+ + +

ContextEntry +

+ + +

+ (Appears in: + ForEachMutation, + ForEachValidation, + Rule, + TargetResourceSpec) +

+ + +

ContextEntry adds variables and data sources to a rule Context. Either a +ConfigMap reference or a APILookup must be provided.

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
name + + * + +
+ + + + + string + + + 		+ + +

Name is the variable name.

+ + + + + +
configMap + + * + +
+ + + + + + ConfigMapReference + + + + 		+ + +

ConfigMap is the ConfigMap reference.

+ + + + + +
apiCall + + * + +
+ + + + + + ContextAPICall + + + + 		+ + +

APICall is an HTTP request to the Kubernetes API server, or other JSON web service. +The data returned is stored in the context with the name for the context entry.

+ + + + + +
imageRegistry + + * + +
+ + + + + + ImageRegistry + + + + 		+ + +

ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image +details.

+ + + + + +
variable + + * + +
+ + + + + + Variable + + + + 		+ + +

Variable defines an arbitrary JMESPath context variable that can be defined inline.

+ + + + + +
+ + +

Deny +

+ + +

+ (Appears in: + ForEachValidation, + Validation) +

+ + +

Deny specifies a list of conditions used to pass or fail a validation rule.

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
conditions + + * + +
+ + + + + k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSON + + + 		+ + +

Multiple conditions can be declared under an any or all statement. A direct list +of conditions (without any or all statements) is also supported for backwards compatibility +but will be deprecated in the next major release. +See: https://kyverno.io/docs/writing-policies/validate/#deny-rules

+ + + + + +
+ + +

DryRunOption +

+ + +

+ (Appears in: + Manifests) +

+ + +

DryRunOption is a configuration for dryrun. +If enable is set to "true", manifest verification performs "dryrun & compare" +which provides robust matching against changes by defaults and other admission controllers. +Dryrun requires additional permissions. See config/dryrun/dryrun_rbac.yaml

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
enable + + * + +
+ + + + + bool + + + 		+ + + + + + + +
namespace + + * + +
+ + + + + string + + + 		+ + + + + + + +
+ + +

FailurePolicyType + (string alias)

+ + +

+ (Appears in: + Spec) +

+ + +

FailurePolicyType specifies a failure policy that defines how unrecognized errors from the admission endpoint are handled.

+

+ + + +

ForEachMutation +

+ + +

+ (Appears in: + Mutation) +

+ + +

ForEachMutation applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
list + + * + +
+ + + + + string + + + 		+ + +

List specifies a JMESPath expression that results in one or more elements +to which the validation logic is applied.

+ + + + + +
order + +
+ + + + + + ForeachOrder + + + + 		+ + +

Order defines the iteration order on the list. +Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element.

+ + + + + +
context + +
+ + + + + + []ContextEntry + + + + 		+ + +

Context defines variables and data sources that can be used during rule execution.

+ + + + + +
preconditions + +
+ + + + + + AnyAllConditions + + + + 		+ + +

AnyAllConditions are used to determine if a policy rule should be applied by evaluating a +set of conditions. The declaration can contain nested any or all statements. +See: https://kyverno.io/docs/writing-policies/preconditions/

+ + + + + +
patchStrategicMerge + +
+ + + + + k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSON + + + 		+ + +

PatchStrategicMerge is a strategic merge patch used to modify resources. +See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ +and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.

+ + + + + +
patchesJson6902 + +
+ + + + + string + + + 		+ + +

PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. +See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.

+ + + + + +
foreach + +
+ + + + + k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSON + + + 		+ + +

Foreach declares a nested foreach iterator

+ + + + + +
+ + +

ForEachValidation +

+ + +

+ (Appears in: + Validation) +

+ + +

ForEachValidation applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
list + + * + +
+ + + + + string + + + 		+ + +

List specifies a JMESPath expression that results in one or more elements +to which the validation logic is applied.

+ + + + + +
elementScope + +
+ + + + + bool + + + 		+ + +

ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. +When set to "false", "request.object" is used as the validation scope within the foreach +block to allow referencing other elements in the subtree.

+ + + + + +
context + +
+ + + + + + []ContextEntry + + + + 		+ + +

Context defines variables and data sources that can be used during rule execution.

+ + + + + +
preconditions + +
+ + + + + + AnyAllConditions + + + + 		+ + +

AnyAllConditions are used to determine if a policy rule should be applied by evaluating a +set of conditions. The declaration can contain nested any or all statements. +See: https://kyverno.io/docs/writing-policies/preconditions/

+ + + + + +
pattern + +
+ + + + + k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSON + + + 		+ + +

Pattern specifies an overlay-style pattern used to check resources.

+ + + + + +
anyPattern + +
+ + + + + k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSON + + + 		+ + +

AnyPattern specifies list of validation patterns. At least one of the patterns +must be satisfied for the validation rule to succeed.

+ + + + + +
deny + +
+ + + + + + Deny + + + + 		+ + +

Deny defines conditions used to pass or fail a validation rule.

+ + + + + +
foreach + +
+ + + + + k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSON + + + 		+ + +

Foreach declares a nested foreach iterator

+ + + + + +
+ + +

ForeachOrder + (string alias)

+ + +

+ (Appears in: + ForEachMutation) +

+ + +

ForeachOrder specifies the iteration order in foreach statements.

+

+ + + +

Generation +

+ + +

+ (Appears in: + Rule) +

+ + +

Generation defines how new resources should be created and managed.

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
ResourceSpec + + * + +
+ + + + + + ResourceSpec + + + + 		+ + +

ResourceSpec contains information to select the resource.

+ + + + + +
synchronize + +
+ + + + + bool + + + 		+ + +

Synchronize controls if generated resources should be kept in-sync with their source resource. +If Synchronize is set to "true" changes to generated resources will be overwritten with resource +data from Data or the resource specified in the Clone declaration. +Optional. Defaults to "false" if not specified.

+ + + + + +
orphanDownstreamOnPolicyDelete + +
+ + + + + bool + + + 		+ + +

OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated +them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type. +See https://kyverno.io/docs/writing-policies/generate/#data-examples. +Defaults to "false" if not specified.

+ + + + + +
data + +
+ + + + + k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSON + + + 		+ + +

Data provides the resource declaration used to populate each generated resource. +At most one of Data or Clone must be specified. If neither are provided, the generated +resource will be created with default data only.

+ + + + + +
clone + +
+ + + + + + CloneFrom + + + + 		+ + +

Clone specifies the source resource used to populate each generated resource. +At most one of Data or Clone can be specified. If neither are provided, the generated +resource will be created with default data only.

+ + + + + +
cloneList + +
+ + + + + + CloneList + + + + 		+ + +

CloneList specifies the list of source resource used to populate each generated resource.

+ + + + + +
+ + +

ImageExtractorConfigs + (map[string][]github.com/kyverno/kyverno/api/kyverno/v1.ImageExtractorConfig alias)

+ + +

+ (Appears in: + Rule) +

+ + +

+ + + +

ImageRegistry +

+ + +

+ (Appears in: + ContextEntry) +

+ + +

ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image +details.

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
reference + + * + +
+ + + + + string + + + 		+ + +

Reference is image reference to a container image in the registry. +Example: ghcr.io/kyverno/kyverno:latest

+ + + + + +
jmesPath + +
+ + + + + string + + + 		+ + +

JMESPath is an optional JSON Match Expression that can be used to +transform the ImageData struct returned as a result of processing +the image reference.

+ + + + + +
imageRegistryCredentials + + * + +
+ + + + + + ImageRegistryCredentials + + + + 		+ + +

ImageRegistryCredentials provides credentials that will be used for authentication with registry

+ + + + + +
+ + +

ImageRegistryCredentials +

+ + +

+ (Appears in: + ImageRegistry, + ImageVerification) +

+ + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
allowInsecureRegistry + + * + +
+ + + + + bool + + + 		+ + +

AllowInsecureRegistry allows insecure access to a registry.

+ + + + + +
providers + + * + +
+ + + + + + []ImageRegistryCredentialsProvidersType + + + + 		+ + +

Providers specifies a list of OCI Registry names, whose authentication providers are provided. +It can be of one of these values: default,google,azure,amazon,github.

+ + + + + +
secrets + + * + +
+ + + + + []string + + + 		+ + +

Secrets specifies a list of secrets that are provided for credentials. +Secrets must live in the Kyverno namespace.

+ + + + + +
+ + +

ImageRegistryCredentialsProvidersType + (string alias)

+ + +

+ (Appears in: + ImageRegistryCredentials) +

+ + +

ImageRegistryCredentialsProvidersType provides the list of credential providers required.

+

+ + + +

ImageVerification +

+ + +

+ (Appears in: + Rule) +

+ + +

ImageVerification validates that images that match the specified pattern +are signed with the supplied public key. Once the image is verified it is +mutated to include the SHA digest retrieved during the registration.

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
type + + * + +
+ + + + + + ImageVerificationType + + + + 		+ + +

Type specifies the method of signature validation. The allowed options +are Cosign and Notary. By default Cosign is used if a type is not specified.

+ + + + + +
image + + * + +
+ + + + + string + + + 		+ + +

Deprecated. Use ImageReferences instead.

+ + + + + +
imageReferences + + * + +
+ + + + + []string + + + 		+ + +

ImageReferences is a list of matching image reference patterns. At least one pattern in the +list must match the image for the rule to apply. Each image reference consists of a registry +address (defaults to docker.io), repository, image, and tag (defaults to latest). +Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.

+ + + + + +
skipImageReferences + + * + +
+ + + + + []string + + + 		+ + +

SkipImageReferences is a list of matching image reference patterns that should be skipped. +At least one pattern in the list must match the image for the rule to be skipped. Each image reference +consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest). +Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.

+ + + + + +
key + + * + +
+ + + + + string + + + 		+ + +

Deprecated. Use StaticKeyAttestor instead.

+ + + + + +
roots + + * + +
+ + + + + string + + + 		+ + +

Deprecated. Use KeylessAttestor instead.

+ + + + + +
subject + + * + +
+ + + + + string + + + 		+ + +

Deprecated. Use KeylessAttestor instead.

+ + + + + +
issuer + + * + +
+ + + + + string + + + 		+ + +

Deprecated. Use KeylessAttestor instead.

+ + + + + +
additionalExtensions + + * + +
+ + + + + map[string]string + + + 		+ + +

Deprecated.

+ + + + + +
attestors + + * + +
+ + + + + + []AttestorSet + + + + 		+ + +

Attestors specified the required attestors (i.e. authorities)

+ + + + + +
attestations + + * + +
+ + + + + + []Attestation + + + + 		+ + +

Attestations are optional checks for signed in-toto Statements used to verify the image. +See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the +OCI registry and decodes them into a list of Statement declarations.

+ + + + + +
annotations + + * + +
+ + + + + map[string]string + + + 		+ + +

Deprecated. Use annotations per Attestor instead.

+ + + + + +
repository + + * + +
+ + + + + string + + + 		+ + +

Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. +If specified Repository will override the default OCI image repository configured for the installation. +The repository can also be overridden per Attestor or Attestation.

+ + + + + +
mutateDigest + + * + +
+ + + + + bool + + + 		+ + +

MutateDigest enables replacement of image tags with digests. +Defaults to true.

+ + + + + +
verifyDigest + + * + +
+ + + + + bool + + + 		+ + +

VerifyDigest validates that images have a digest.

+ + + + + +
required + + * + +
+ + + + + bool + + + 		+ + +

Required validates that images are verified i.e. have matched passed a signature or attestation check.

+ + + + + +
imageRegistryCredentials + + * + +
+ + + + + + ImageRegistryCredentials + + + + 		+ + +

ImageRegistryCredentials provides credentials that will be used for authentication with registry.

+ + + + + +
useCache + + * + +
+ + + + + bool + + + 		+ + +

UseCache enables caching of image verify responses for this rule.

+ + + + + +
+ + +

ImageVerificationType + (string alias)

+ + +

+ (Appears in: + ImageVerification) +

+ + +

ImageVerificationType selects the type of verification algorithm

+

+ + + +

KeylessAttestor +

+ + +

+ (Appears in: + Attestor) +

+ + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
rekor + + * + +
+ + + + + + Rekor + + + + 		+ + +

Rekor provides configuration for the Rekor transparency log service. If an empty object +is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.

+ + + + + +
ctlog + + * + +
+ + + + + + CTLog + + + + 		+ + +

CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate +Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.

+ + + + + +
issuer + + * + +
+ + + + + string + + + 		+ + +

Issuer is the certificate issuer used for keyless signing.

+ + + + + +
subject + + * + +
+ + + + + string + + + 		+ + +

Subject is the verified identity used for keyless signing, for example the email address.

+ + + + + +
roots + + * + +
+ + + + + string + + + 		+ + +

Roots is an optional set of PEM encoded trusted root certificates. +If not provided, the system roots are used.

+ + + + + +
additionalExtensions + + * + +
+ + + + + map[string]string + + + 		+ + +

AdditionalExtensions are certificate-extensions used for keyless signing.

+ + + + + +
+ + +

Manifests +

+ + +

+ (Appears in: + Validation) +

+ + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
attestors + + * + +
+ + + + + + []AttestorSet + + + + 		+ + +

Attestors specified the required attestors (i.e. authorities)

+ + + + + +
annotationDomain + +
+ + + + + string + + + 		+ + +

AnnotationDomain is custom domain of annotation for message and signature. Default is "cosign.sigstore.dev".

+ + + + + +
ignoreFields + +
+ + + + + + IgnoreFieldList + + + + 		+ + +

Fields which will be ignored while comparing manifests.

+ + + + + +
dryRun + +
+ + + + + + DryRunOption + + + + 		+ + +

DryRun configuration

+ + + + + +
repository + + * + +
+ + + + + string + + + 		+ + +

Repository is an optional alternate OCI repository to use for resource bundle reference. +The repository can be overridden per Attestor or Attestation.

+ + + + + +
+ + +

MatchResources +

+ + +

+ (Appears in: + Rule) +

+ + +

MatchResources is used to specify resource and admission review request data for +which a policy rule is applicable.

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
any + +
+ + + + + + ResourceFilters + + + + 		+ + +

Any allows specifying resources which will be ORed

+ + + + + +
all + +
+ + + + + + ResourceFilters + + + + 		+ + +

All allows specifying resources which will be ANDed

+ + + + + +
UserInfo + +
+ + + + + + UserInfo + + + + 		+ + +

UserInfo contains information about the user performing the operation. +Specifying UserInfo directly under match is being deprecated. +Please specify under "any" or "all" instead.

+ + + + + +
resources + +
+ + + + + + ResourceDescription + + + + 		+ + +

ResourceDescription contains information about the resource being created or modified. +Requires at least one tag to be specified when under MatchResources. +Specifying ResourceDescription directly under match is being deprecated. +Please specify under "any" or "all" instead.

+ + + + + +
+ + +

Method + (string alias)

+ + +

+ (Appears in: + APICall) +

+ + +

Method is a HTTP request type.

+

+ + + +

Mutation +

+ + +

+ (Appears in: + Rule) +

+ + +

Mutation defines how resource are modified.

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
targets + +
+ + + + + + []TargetResourceSpec + + + + 		+ + +

Targets defines the target resources to be mutated.

+ + + + + +
patchStrategicMerge + +
+ + + + + k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSON + + + 		+ + +

PatchStrategicMerge is a strategic merge patch used to modify resources. +See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ +and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.

+ + + + + +
patchesJson6902 + +
+ + + + + string + + + 		+ + +

PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. +See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.

+ + + + + +
foreach + +
+ + + + + + []ForEachMutation + + + + 		+ + +

ForEach applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.

+ + + + + +
+ + +

PodSecurity +

+ + +

+ (Appears in: + Validation) +

+ + +

PodSecurity applies exemptions for Kubernetes Pod Security admission +by specifying exclusions for Pod Security Standards controls.

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
level + + * + +
+ + + + + k8s.io/pod-security-admission/api.Level + + + 		+ + +

Level defines the Pod Security Standard level to be applied to workloads. +Allowed values are privileged, baseline, and restricted.

+ + + + + +
version + +
+ + + + + string + + + 		+ + +

Version defines the Pod Security Standard versions that Kubernetes supports. +Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest.

+ + + + + +
exclude + + * + +
+ + + + + + []PodSecurityStandard + + + + 		+ + +

Exclude specifies the Pod Security Standard controls to be excluded.

+ + + + + +
+ + +

PodSecurityStandard +

+ + +

+ (Appears in: + PodSecurity) +

+ + +

PodSecurityStandard specifies the Pod Security Standard controls to be excluded.

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
controlName + + * + +
+ + + + + string + + + 		+ + +

ControlName specifies the name of the Pod Security Standard control. +See: https://kubernetes.io/docs/concepts/security/pod-security-standards/

+ + + + + +
images + +
+ + + + + []string + + + 		+ + +

Images selects matching containers and applies the container level PSS. +Each image is the image name consisting of the registry address, repository, image, and tag. +Empty list matches no containers, PSS checks are applied at the pod level only. +Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.

+ + + + + +
restrictedField + +
+ + + + + string + + + 		+ + +

RestrictedField selects the field for the given Pod Security Standard control. +When not set, all restricted fields for the control are selected.

+ + + + + +
values + +
+ + + + + []string + + + 		+ + +

Values defines the allowed values that can be excluded.

+ + + + + +
+ + +

PolicyStatus +

+ + +

+ (Appears in: + ClusterPolicy, + Policy) +

+ + +

Deprecated. Policy metrics are now available via the "/metrics" endpoint. +See: https://kyverno.io/docs/monitoring-kyverno-with-prometheus-metrics/

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
ready + + * + +
+ + + + + bool + + + 		+ + +

Deprecated in favor of Conditions

+ + + + + +
conditions + +
+ + + + + []meta/v1.Condition + + + 		+ + + + + + + +
autogen + +
+ + + + + + AutogenStatus + + + + 		+ + + + + + + +
rulecount + +
+ + + + + + RuleCountStatus + + + + 		+ + + + + + + +
validatingadmissionpolicy + +
+ + + + + + ValidatingAdmissionPolicyStatus + + + + 		+ + +

ValidatingAdmissionPolicy contains status information

+ + + + + +
+ + +

Rekor +

+ + +

+ (Appears in: + CertificateAttestor, + KeylessAttestor, + StaticKeyAttestor) +

+ + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
url + + * + +
+ + + + + string + + + 		+ + +

URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.

+ + + + + +
pubkey + + * + +
+ + + + + string + + + 		+ + +

RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. +If set, this will be used to validate transparency log signatures from a custom Rekor.

+ + + + + +
ignoreTlog + + * + +
+ + + + + bool + + + 		+ + +

IgnoreTlog skips transparency log verification.

+ + + + + +
+ + +

RequestData +

+ + +

+ (Appears in: + APICall) +

+ + +

RequestData contains the HTTP POST data

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
key + + * + +
+ + + + + string + + + 		+ + +

Key is a unique identifier for the data value

+ + + + + +
value + + * + +
+ + + + + k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSON + + + 		+ + +

Value is the data value

+ + + + + +
+ + +

ResourceDescription +

+ + +

+ (Appears in: + MatchResources) +

+ + +

ResourceDescription contains criteria used to match resources.

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
kinds + +
+ + + + + []string + + + 		+ + +

Kinds is a list of resource kinds.

+ + + + + +
name + +
+ + + + + string + + + 		+ + +

Name is the name of the resource. The name supports wildcard characters +"*" (matches zero or many characters) and "?" (at least one character). +NOTE: "Name" is being deprecated in favor of "Names".

+ + + + + +
names + +
+ + + + + []string + + + 		+ + +

Names are the names of the resources. Each name supports wildcard characters +"*" (matches zero or many characters) and "?" (at least one character).

+ + + + + +
namespaces + +
+ + + + + []string + + + 		+ + +

Namespaces is a list of namespaces names. Each name supports wildcard characters +"*" (matches zero or many characters) and "?" (at least one character).

+ + + + + +
annotations + +
+ + + + + map[string]string + + + 		+ + +

Annotations is a map of annotations (key-value pairs of type string). Annotation keys +and values support the wildcard characters "*" (matches zero or many characters) and +"?" (matches at least one character).

+ + + + + +
selector + +
+ + + + + meta/v1.LabelSelector + + + 		+ + +

Selector is a label selector. Label keys and values in matchLabels support the wildcard +characters * (matches zero or many characters) and ? (matches one character). +Wildcards allows writing label selectors like ["storage.k8s.io/": ""]. Note that +using ["" : ""] matches any key and value but does not match an empty label set.

+ + + + + +
namespaceSelector + +
+ + + + + meta/v1.LabelSelector + + + 		+ + +

NamespaceSelector is a label selector for the resource namespace. Label keys and values +in matchLabels support the wildcard characters * (matches zero or many characters) +and ? (matches one character).Wildcards allows writing label selectors like +["storage.k8s.io/": ""]. Note that using ["" : ""] matches any key and value but +does not match an empty label set.

+ + + + + +
operations + +
+ + + + + + []AdmissionOperation + + + + 		+ + +

Operations can contain values ["CREATE, "UPDATE", "CONNECT", "DELETE"], which are used to match a specific action.

+ + + + + +
+ + +

ResourceFilters + ([]github.com/kyverno/kyverno/api/kyverno/v1.ResourceFilter alias)

+ + +

+ (Appears in: + MatchResources) +

+ + +

ResourceFilters is a slice of ResourceFilter

+

+ + + +

ResourceSpec +

+ + +

+ (Appears in: + Generation, + TargetResourceSpec) +

+ + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
apiVersion + +
+ + + + + string + + + 		+ + +

APIVersion specifies resource apiVersion.

+ + + + + +
kind + + * + +
+ + + + + string + + + 		+ + +

Kind specifies resource kind.

+ + + + + +
namespace + +
+ + + + + string + + + 		+ + +

Namespace specifies resource namespace.

+ + + + + +
name + +
+ + + + + string + + + 		+ + +

Name specifies the resource name.

+ + + + + +
uid + +
+ + + + + k8s.io/apimachinery/pkg/types.UID + + + 		+ + +

UID specifies the resource uid.

+ + + + + +
+ + +

Rule +

+ + +

+ (Appears in: + AutogenStatus, + Spec) +

+ + +

Rule defines a validation, mutation, or generation control for matching resources. +Each rules contains a match declaration to select resources, and an optional exclude +declaration to specify which resources to exclude.

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
name + + * + +
+ + + + + string + + + 		+ + +

Name is a label to identify the rule, It must be unique within the policy.

+ + + + + +
context + +
+ + + + + + []ContextEntry + + + + 		+ + +

Context defines variables and data sources that can be used during rule execution.

+ + + + + +
match + + * + +
+ + + + + + MatchResources + + + + 		+ + +

MatchResources defines when this policy rule should be applied. The match +criteria can include resource information (e.g. kind, name, namespace, labels) +and admission review request information like the user name or role. +At least one kind is required.

+ + + + + +
exclude + +
+ + + + + + MatchResources + + + + 		+ + +

ExcludeResources defines when this policy rule should not be applied. The exclude +criteria can include resource information (e.g. kind, name, namespace, labels) +and admission review request information like the name or role.

+ + + + + +
imageExtractors + +
+ + + + + + ImageExtractorConfigs + + + + 		+ + +

ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. +This config is only valid for verifyImages rules.

+ + + + + +
preconditions + +
+ + + + + k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSON + + + 		+ + +

Preconditions are used to determine if a policy rule should be applied by evaluating a +set of conditions. The declaration can contain nested any or all statements. A direct list +of conditions (without any or all statements is supported for backwards compatibility but +will be deprecated in the next major release. +See: https://kyverno.io/docs/writing-policies/preconditions/

+ + + + + +
celPreconditions + +
+ + + + + []admissionregistration/v1alpha1.MatchCondition + + + 		+ + +

CELPreconditions are used to determine if a policy rule should be applied by evaluating a +set of CEL conditions. It can only be used with the validate.cel subrule

+ + + + + +
mutate + +
+ + + + + + Mutation + + + + 		+ + +

Mutation is used to modify matching resources.

+ + + + + +
validate + +
+ + + + + + Validation + + + + 		+ + +

Validation is used to validate matching resources.

+ + + + + +
generate + +
+ + + + + + Generation + + + + 		+ + +

Generation is used to create new resources.

+ + + + + +
verifyImages + +
+ + + + + + []ImageVerification + + + + 		+ + +

VerifyImages is used to verify image signatures and mutate them to add a digest

+ + + + + +
skipBackgroundRequests + + * + +
+ + + + + bool + + + 		+ + +

SkipBackgroundRequests bypasses admission requests that are sent by the background controller. +The default value is set to "true", it must be set to "false" to apply +generate and mutateExisting rules to those requests.

+ + + + + +
+ + +

RuleCountStatus +

+ + +

+ (Appears in: + PolicyStatus) +

+ + +

RuleCountStatus contains four variables which describes counts for +validate, generate, mutate and verify images rules

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
validate + + * + +
+ + + + + int + + + 		+ + +

Count for validate rules in policy

+ + + + + +
generate + + * + +
+ + + + + int + + + 		+ + +

Count for generate rules in policy

+ + + + + +
mutate + + * + +
+ + + + + int + + + 		+ + +

Count for mutate rules in policy

+ + + + + +
verifyimages + + * + +
+ + + + + int + + + 		+ + +

Count for verify image rules in policy

+ + + + + +
+ + +

SecretReference +

+ + +

+ (Appears in: + StaticKeyAttestor) +

+ + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
name + + * + +
+ + + + + string + + + 		+ + +

Name of the secret. The provided secret must contain a key named cosign.pub.

+ + + + + +
namespace + + * + +
+ + + + + string + + + 		+ + +

Namespace name where the Secret exists.

+ + + + + +
+ + +

ServiceCall +

+ + +

+ (Appears in: + APICall) +

+ + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
url + + * + +
+ + + + + string + + + 		+ + +

URL is the JSON web service URL. A typical form is +https://{service}.{namespace}:{port}/{path}.

+ + + + + +
caBundle + + * + +
+ + + + + string + + + 		+ + +

CABundle is a PEM encoded CA bundle which will be used to validate +the server certificate.

+ + + + + +
+ + +

Spec +

+ + +

+ (Appears in: + ClusterPolicy, + Policy) +

+ + +

Spec contains a list of Rule instances and other policy controls.

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
rules + + * + +
+ + + + + + []Rule + + + + 		+ + +

Rules is a list of Rule instances. A Policy contains multiple rules and +each rule can validate, mutate, or generate resources.

+ + + + + +
applyRules + +
+ + + + + + ApplyRulesType + + + + 		+ + +

ApplyRules controls how rules in a policy are applied. Rule are processed in +the order of declaration. When set to One processing stops after a rule has +been applied i.e. the rule matches and results in a pass, fail, or error. When +set to All all rules in the policy are processed. The default is All.

+ + + + + +
failurePolicy + +
+ + + + + + FailurePolicyType + + + + 		+ + +

FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. +Rules within the same policy share the same failure behavior. +This field should not be accessed directly, instead GetFailurePolicy() should be used. +Allowed values are Ignore or Fail. Defaults to Fail.

+ + + + + +
validationFailureAction + +
+ + + + + + ValidationFailureAction + + + + 		+ + +

ValidationFailureAction defines if a validation policy rule violation should block +the admission review request (enforce), or allow (audit) the admission review request +and report an error in a policy report. Optional. +Allowed values are audit or enforce. The default value is "Audit".

+ + + + + +
validationFailureActionOverrides + +
+ + + + + + []ValidationFailureActionOverride + + + + 		+ + +

ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction +namespace-wise. It overrides ValidationFailureAction for the specified namespaces.

+ + + + + +
admission + +
+ + + + + bool + + + 		+ + +

Admission controls if rules are applied during admission. +Optional. Default value is "true".

+ + + + + +
background + +
+ + + + + bool + + + 		+ + +

Background controls if rules are applied to existing resources during a background scan. +Optional. Default value is "true". The value must be set to "false" if the policy rule +uses variables that are only available in the admission review request (e.g. user name).

+ + + + + +
schemaValidation + + * + +
+ + + + + bool + + + 		+ + +

Deprecated.

+ + + + + +
webhookTimeoutSeconds + + * + +
+ + + + + int32 + + + 		+ + +

WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. +After the configured time expires, the admission request may fail, or may simply ignore the policy results, +based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.

+ + + + + +
mutateExistingOnPolicyUpdate + +
+ + + + + bool + + + 		+ + +

MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. +Default value is "false".

+ + + + + +
generateExistingOnPolicyUpdate + +
+ + + + + bool + + + 		+ + +

Deprecated, use generateExisting instead

+ + + + + +
generateExisting + +
+ + + + + bool + + + 		+ + +

GenerateExisting controls whether to trigger generate rule in existing resources +If is set to "true" generate rule will be triggered and applied to existing matched resources. +Defaults to "false" if not specified.

+ + + + + +
useServerSideApply + +
+ + + + + bool + + + 		+ + +

UseServerSideApply controls whether to use server-side apply for generate rules +If is set to "true" create & update for generate rules will use apply instead of create/update. +Defaults to "false" if not specified.

+ + + + + +
webhookConfiguration + +
+ + + + + + WebhookConfiguration + + + + 		+ + +

WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration. +Requires Kubernetes 1.27 or later.

+ + + + + +
+ + +

StaticKeyAttestor +

+ + +

+ (Appears in: + Attestor) +

+ + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
publicKeys + + * + +
+ + + + + string + + + 		+ + +

Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly +specified or can be a variable reference to a key specified in a ConfigMap (see +https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret +elsewhere in the cluster by specifying it in the format "k8s:///<secret_name>". +The named Secret must specify a key cosign.pub containing the public key used for +verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). +When multiple keys are specified each key is processed as a separate staticKey entry +(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.

+ + + + + +
signatureAlgorithm + + * + +
+ + + + + string + + + 		+ + +

Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.

+ + + + + +
kms + + * + +
+ + + + + string + + + 		+ + +

KMS provides the URI to the public key stored in a Key Management System. See: +https://github.com/sigstore/cosign/blob/main/KMS.md

+ + + + + +
secret + + * + +
+ + + + + + SecretReference + + + + 		+ + +

Reference to a Secret resource that contains a public key

+ + + + + +
rekor + + * + +
+ + + + + + Rekor + + + + 		+ + +

Rekor provides configuration for the Rekor transparency log service. If an empty object +is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.

+ + + + + +
ctlog + + * + +
+ + + + + + CTLog + + + + 		+ + +

CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate +Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.

+ + + + + +
+ + +

TargetResourceSpec +

+ + +

+ (Appears in: + Mutation) +

+ + +

TargetResourceSpec defines targets for mutating existing resources.

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
ResourceSpec + + * + +
+ + + + + + ResourceSpec + + + + 		+ + +

ResourceSpec contains the target resources to load when mutating existing resources.

+ + + + + +
context + +
+ + + + + + []ContextEntry + + + + 		+ + +

Context defines variables and data sources that can be used during rule execution.

+ + + + + +
preconditions + +
+ + + + + k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSON + + + 		+ + +

Preconditions are used to determine if a policy rule should be applied by evaluating a +set of conditions. The declaration can contain nested any or all statements. A direct list +of conditions (without any or all statements is supported for backwards compatibility but +will be deprecated in the next major release. +See: https://kyverno.io/docs/writing-policies/preconditions/

+ + + + + +
+ + +

UserInfo +

+ + +

+ (Appears in: + MatchResources) +

+ + +

UserInfo contains information about the user performing the operation.

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
roles + +
+ + + + + []string + + + 		+ + +

Roles is the list of namespaced role names for the user.

+ + + + + +
clusterRoles + +
+ + + + + []string + + + 		+ + +

ClusterRoles is the list of cluster-wide role names for the user.

+ + + + + +
subjects + +
+ + + + + []rbac/v1.Subject + + + 		+ + +

Subjects is the list of subject names like users, user groups, and service accounts.

+ + + + + +
+ + +

ValidatingAdmissionPolicyStatus +

+ + +

+ (Appears in: + PolicyStatus) +

+ + +

ValidatingAdmissionPolicy contains status information

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
generated + + * + +
+ + + + + bool + + + 		+ + +

Generated indicates whether a validating admission policy is generated from the policy or not

+ + + + + +
message + + * + +
+ + + + + string + + + 		+ + +

Message is a human readable message indicating details about the generation of validating admission policy +It is an empty string when validating admission policy is successfully generated.

+ + + + + +
+ + +

Validation +

+ + +

+ (Appears in: + Rule) +

+ + +

Validation defines checks to be performed on matching resources.

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
message + +
+ + + + + string + + + 		+ + +

Message specifies a custom message to be displayed on failure.

+ + + + + +
manifests + +
+ + + + + + Manifests + + + + 		+ + +

Manifest specifies conditions for manifest verification

+ + + + + +
foreach + +
+ + + + + + []ForEachValidation + + + + 		+ + +

ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.

+ + + + + +
pattern + +
+ + + + + k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSON + + + 		+ + +

Pattern specifies an overlay-style pattern used to check resources.

+ + + + + +
anyPattern + +
+ + + + + k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSON + + + 		+ + +

AnyPattern specifies list of validation patterns. At least one of the patterns +must be satisfied for the validation rule to succeed.

+ + + + + +
deny + +
+ + + + + + Deny + + + + 		+ + +

Deny defines conditions used to pass or fail a validation rule.

+ + + + + +
podSecurity + +
+ + + + + + PodSecurity + + + + 		+ + +

PodSecurity applies exemptions for Kubernetes Pod Security admission +by specifying exclusions for Pod Security Standards controls.

+ + + + + +
cel + +
+ + + + + + CEL + + + + 		+ + +

CEL allows validation checks using the Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).

+ + + + + +
+ + +

ValidationFailureAction + (string alias)

+ + +

+ (Appears in: + Spec, + ValidationFailureActionOverride) +

+ + +

ValidationFailureAction defines the policy validation failure action

+

+ + + +

ValidationFailureActionOverride +

+ + +

+ (Appears in: + Spec) +

+ + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
action + + * + +
+ + + + + + ValidationFailureAction + + + + 		+ + + + + + + +
namespaces + + * + +
+ + + + + []string + + + 		+ + + + + + + +
namespaceSelector + + * + +
+ + + + + meta/v1.LabelSelector + + + 		+ + + + + + + +
+ + +

Variable +

+ + +

+ (Appears in: + ContextEntry) +

+ + +

Variable defines an arbitrary JMESPath context variable that can be defined inline.

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
value + +
+ + + + + k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSON + + + 		+ + +

Value is any arbitrary JSON object representable in YAML or JSON form.

+ + + + + +
jmesPath + +
+ + + + + string + + + 		+ + +

JMESPath is an optional JMESPath Expression that can be used to +transform the variable.

+ + + + + +
default + +
+ + + + + k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSON + + + 		+ + +

Default is an optional arbitrary JSON object that the variable may take if the JMESPath +expression evaluates to nil

+ + + + + +
+ + +

WebhookConfiguration +

+ + +

+ (Appears in: + Spec) +

+ + +

WebhookConfiguration specifies the configuration for Kubernetes admission webhookconfiguration.

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
matchConditions + +
+ + + + + []admissionregistration/v1.MatchCondition + + + 		+ + +

MatchCondition configures admission webhook matchConditions.

+ + + + + +
+ + + +
+ +
+ + diff --git a/docs/user/crd/kyverno.v1alpha2.html b/docs/user/crd/kyverno.v1alpha2.html new file mode 100644 index 0000000000..4cc5e07dd8 --- /dev/null +++ b/docs/user/crd/kyverno.v1alpha2.html @@ -0,0 +1,771 @@ + + + + + + + + + +
+ + + +

Package: kyverno.io/v1alpha2

+

Package v1alpha2 contains API Schema definitions for the policy v1alpha2 API group

+

+ + + + + +

Resource Types:

+ + + + +

AdmissionReport +

+ + + +

AdmissionReport is the Schema for the AdmissionReports API

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
apiVersion
string		kyverno.io/v1alpha2
kind
string		AdmissionReport
metadata + + * + +
+ + + + + meta/v1.ObjectMeta + + + 		+ + + + + + Refer to the Kubernetes API documentation for the fields of the + metadata field. + + + +
spec + + * + +
+ + + + + github.com/kyverno/kyverno/api/kyverno/v2.AdmissionReportSpec + + + 		+ + + + + + + +
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
owner + + * + +
+ + + + + meta/v1.OwnerReference + + + 		+ + +

Owner is a reference to the report owner (e.g. a Deployment, Namespace, or Node)

+ + + + + +
summary + +
+ + + + + github.com/kyverno/kyverno/api/policyreport/v1alpha2.PolicyReportSummary + + + 		+ + +

PolicyReportSummary provides a summary of results

+ + + + + +
results + +
+ + + + + []github.com/kyverno/kyverno/api/policyreport/v1alpha2.PolicyReportResult + + + 		+ + +

PolicyReportResult provides result details

+ + + + + +
+ +
+ + +

BackgroundScanReport +

+ + + +

BackgroundScanReport is the Schema for the BackgroundScanReports API

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
apiVersion
string		kyverno.io/v1alpha2
kind
string		BackgroundScanReport
metadata + + * + +
+ + + + + meta/v1.ObjectMeta + + + 		+ + + + + + Refer to the Kubernetes API documentation for the fields of the + metadata field. + + + +
spec + + * + +
+ + + + + github.com/kyverno/kyverno/api/kyverno/v2.BackgroundScanReportSpec + + + 		+ + + + + + + +
+
+ + + + + + + + + + + + + + + + + + + + + + +
summary + +
+ + + + + github.com/kyverno/kyverno/api/policyreport/v1alpha2.PolicyReportSummary + + + 		+ + +

PolicyReportSummary provides a summary of results

+ + + + + +
results + +
+ + + + + []github.com/kyverno/kyverno/api/policyreport/v1alpha2.PolicyReportResult + + + 		+ + +

PolicyReportResult provides result details

+ + + + + +
+ +
+ + +

ClusterAdmissionReport +

+ + + +

ClusterAdmissionReport is the Schema for the ClusterAdmissionReports API

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
apiVersion
string		kyverno.io/v1alpha2
kind
string		ClusterAdmissionReport
metadata + + * + +
+ + + + + meta/v1.ObjectMeta + + + 		+ + + + + + Refer to the Kubernetes API documentation for the fields of the + metadata field. + + + +
spec + + * + +
+ + + + + github.com/kyverno/kyverno/api/kyverno/v2.AdmissionReportSpec + + + 		+ + + + + + + +
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
owner + + * + +
+ + + + + meta/v1.OwnerReference + + + 		+ + +

Owner is a reference to the report owner (e.g. a Deployment, Namespace, or Node)

+ + + + + +
summary + +
+ + + + + github.com/kyverno/kyverno/api/policyreport/v1alpha2.PolicyReportSummary + + + 		+ + +

PolicyReportSummary provides a summary of results

+ + + + + +
results + +
+ + + + + []github.com/kyverno/kyverno/api/policyreport/v1alpha2.PolicyReportResult + + + 		+ + +

PolicyReportResult provides result details

+ + + + + +
+ +
+ + +

ClusterBackgroundScanReport +

+ + + +

ClusterBackgroundScanReport is the Schema for the ClusterBackgroundScanReports API

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
apiVersion
string		kyverno.io/v1alpha2
kind
string		ClusterBackgroundScanReport
metadata + + * + +
+ + + + + meta/v1.ObjectMeta + + + 		+ + + + + + Refer to the Kubernetes API documentation for the fields of the + metadata field. + + + +
spec + + * + +
+ + + + + github.com/kyverno/kyverno/api/kyverno/v2.BackgroundScanReportSpec + + + 		+ + + + + + + +
+
+ + + + + + + + + + + + + + + + + + + + + + +
summary + +
+ + + + + github.com/kyverno/kyverno/api/policyreport/v1alpha2.PolicyReportSummary + + + 		+ + +

PolicyReportSummary provides a summary of results

+ + + + + +
results + +
+ + + + + []github.com/kyverno/kyverno/api/policyreport/v1alpha2.PolicyReportResult + + + 		+ + +

PolicyReportResult provides result details

+ + + + + +
+ +
+ + + +
+ +
+ + diff --git a/docs/user/crd/kyverno.v1beta1.html b/docs/user/crd/kyverno.v1beta1.html new file mode 100644 index 0000000000..6d9a614d1a --- /dev/null +++ b/docs/user/crd/kyverno.v1beta1.html @@ -0,0 +1,1149 @@ + + + + + + + + + +
+ + + +

Package: kyverno.io/v1beta1

+

Package v1beta1 contains API Schema definitions for the policy v1beta1 API group

+

+ + + + + +

Resource Types:

+ + + + +

UpdateRequest +

+ + + +

UpdateRequest is a request to process mutate and generate rules in background.

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
apiVersion
string		kyverno.io/v1beta1
kind
string		UpdateRequest
metadata + + * + +
+ + + + + meta/v1.ObjectMeta + + + 		+ + + + + + Refer to the Kubernetes API documentation for the fields of the + metadata field. + + + +
spec + + * + +
+ + + + + + UpdateRequestSpec + + + + 		+ + +

ResourceSpec is the information to identify the trigger resource.

+ + + + + +
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
requestType + + * + +
+ + + + + + RequestType + + + + 		+ + +

Type represents request type for background processing

+ + + + + +
policy + + * + +
+ + + + + string + + + 		+ + +

Specifies the name of the policy.

+ + + + + +
rule + + * + +
+ + + + + string + + + 		+ + +

Rule is the associate rule name of the current UR.

+ + + + + +
deleteDownstream + + * + +
+ + + + + bool + + + 		+ + +

DeleteDownstream represents whether the downstream needs to be deleted.

+ + + + + +
synchronize + + * + +
+ + + + + bool + + + 		+ + +

Synchronize represents the sync behavior of the corresponding rule +Optional. Defaults to "false" if not specified.

+ + + + + +
resource + + * + +
+ + + + + + ResourceSpec + + + + 		+ + +

ResourceSpec is the information to identify the trigger resource.

+ + + + + +
context + + * + +
+ + + + + + UpdateRequestSpecContext + + + + 		+ + +

Context ...

+ + + + + +
+ +
status + +
+ + + + + + UpdateRequestStatus + + + + 		+ + +

Status contains statistics related to update request.

+ + + + + +
+ + +

AdmissionRequestInfoObject +

+ + +

+ (Appears in: + UpdateRequestSpecContext) +

+ + +

AdmissionRequestInfoObject stores the admission request and operation details

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
admissionRequest + +
+ + + + + admission/v1.AdmissionRequest + + + 		+ + + + + + + +
operation + +
+ + + + + admission/v1.Operation + + + 		+ + + + + + + +
+ + +

RequestInfo +

+ + +

+ (Appears in: + UpdateRequestSpecContext) +

+ + +

RequestInfo contains permission info carried in an admission request.

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
roles + +
+ + + + + []string + + + 		+ + +

Roles is a list of possible role send the request.

+ + + + + +
clusterRoles + +
+ + + + + []string + + + 		+ + +

ClusterRoles is a list of possible clusterRoles send the request.

+ + + + + +
userInfo + +
+ + + + + authentication/v1.UserInfo + + + 		+ + +

UserInfo is the userInfo carried in the admission request.

+ + + + + +
+ + +

RequestType + (string alias)

+ + +

+ (Appears in: + UpdateRequestSpec) +

+ + +

+ + + +

UpdateRequestSpec +

+ + +

+ (Appears in: + UpdateRequest) +

+ + +

UpdateRequestSpec stores the request specification.

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
requestType + + * + +
+ + + + + + RequestType + + + + 		+ + +

Type represents request type for background processing

+ + + + + +
policy + + * + +
+ + + + + string + + + 		+ + +

Specifies the name of the policy.

+ + + + + +
rule + + * + +
+ + + + + string + + + 		+ + +

Rule is the associate rule name of the current UR.

+ + + + + +
deleteDownstream + + * + +
+ + + + + bool + + + 		+ + +

DeleteDownstream represents whether the downstream needs to be deleted.

+ + + + + +
synchronize + + * + +
+ + + + + bool + + + 		+ + +

Synchronize represents the sync behavior of the corresponding rule +Optional. Defaults to "false" if not specified.

+ + + + + +
resource + + * + +
+ + + + + + ResourceSpec + + + + 		+ + +

ResourceSpec is the information to identify the trigger resource.

+ + + + + +
context + + * + +
+ + + + + + UpdateRequestSpecContext + + + + 		+ + +

Context ...

+ + + + + +
+ + +

UpdateRequestSpecContext +

+ + +

+ (Appears in: + UpdateRequestSpec) +

+ + +

UpdateRequestSpecContext stores the context to be shared.

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
userInfo + +
+ + + + + + RequestInfo + + + + 		+ + + + + + + +
admissionRequestInfo + +
+ + + + + + AdmissionRequestInfoObject + + + + 		+ + + + + + + +
+ + +

UpdateRequestState + (string alias)

+ + +

+ (Appears in: + UpdateRequestStatus) +

+ + +

UpdateRequestState defines the state of request.

+

+ + + +

UpdateRequestStatus +

+ + +

+ (Appears in: + UpdateRequest) +

+ + +

UpdateRequestStatus defines the observed state of UpdateRequest

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
handler + + * + +
+ + + + + string + + + 		+ + +

Deprecated

+ + + + + +
state + + * + +
+ + + + + + UpdateRequestState + + + + 		+ + +

State represents state of the update request.

+ + + + + +
message + +
+ + + + + string + + + 		+ + +

Specifies request status message.

+ + + + + +
generatedResources + + * + +
+ + + + + + []ResourceSpec + + + + 		+ + +

This will track the resources that are updated by the generate Policy. +Will be used during clean up resources.

+ + + + + +
retryCount + + * + +
+ + + + + int + + + 		+ + + + + + + +
+ + + +
+ +
+ + diff --git a/docs/user/crd/kyverno.v2alpha1.html b/docs/user/crd/kyverno.v2alpha1.html new file mode 100644 index 0000000000..b4d8a93c99 --- /dev/null +++ b/docs/user/crd/kyverno.v2alpha1.html @@ -0,0 +1,1523 @@ + + + + + + + + + +
+ + + +

Package: kyverno.io/v2alpha1

+

+ + + + + +

Resource Types:

+ + + + +

CleanupPolicy +

+ + + +

CleanupPolicy defines a rule for resource cleanup.

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
apiVersion
string		kyverno.io/v2alpha1
kind
string		CleanupPolicy
metadata + + * + +
+ + + + + meta/v1.ObjectMeta + + + 		+ + + + + + Refer to the Kubernetes API documentation for the fields of the + metadata field. + + + +
spec + + * + +
+ + + + + github.com/kyverno/kyverno/api/kyverno/v2beta1.CleanupPolicySpec + + + 		+ + +

Spec declares policy behaviors.

+ + + + + +
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
context + +
+ + + + + + []ContextEntry + + + + 		+ + +

Context defines variables and data sources that can be used during rule execution.

+ + + + + +
match + + * + +
+ + + + + github.com/kyverno/kyverno/api/kyverno/v2beta1.MatchResources + + + 		+ + +

MatchResources defines when cleanuppolicy should be applied. The match +criteria can include resource information (e.g. kind, name, namespace, labels) +and admission review request information like the user name or role. +At least one kind is required.

+ + + + + +
exclude + +
+ + + + + github.com/kyverno/kyverno/api/kyverno/v2beta1.MatchResources + + + 		+ + +

ExcludeResources defines when cleanuppolicy should not be applied. The exclude +criteria can include resource information (e.g. kind, name, namespace, labels) +and admission review request information like the name or role.

+ + + + + +
schedule + + * + +
+ + + + + string + + + 		+ + +

The schedule in Cron format

+ + + + + +
conditions + +
+ + + + + github.com/kyverno/kyverno/api/kyverno/v2beta1.AnyAllConditions + + + 		+ + +

Conditions defines the conditions used to select the resources which will be cleaned up.

+ + + + + +
+ +
status + +
+ + + + + github.com/kyverno/kyverno/api/kyverno/v2beta1.CleanupPolicyStatus + + + 		+ + +

Status contains policy runtime data.

+ + + + + +
+ + +

ClusterCleanupPolicy +

+ + + +

ClusterCleanupPolicy defines rule for resource cleanup.

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
apiVersion
string		kyverno.io/v2alpha1
kind
string		ClusterCleanupPolicy
metadata + + * + +
+ + + + + meta/v1.ObjectMeta + + + 		+ + + + + + Refer to the Kubernetes API documentation for the fields of the + metadata field. + + + +
spec + + * + +
+ + + + + github.com/kyverno/kyverno/api/kyverno/v2beta1.CleanupPolicySpec + + + 		+ + +

Spec declares policy behaviors.

+ + + + + +
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
context + +
+ + + + + + []ContextEntry + + + + 		+ + +

Context defines variables and data sources that can be used during rule execution.

+ + + + + +
match + + * + +
+ + + + + github.com/kyverno/kyverno/api/kyverno/v2beta1.MatchResources + + + 		+ + +

MatchResources defines when cleanuppolicy should be applied. The match +criteria can include resource information (e.g. kind, name, namespace, labels) +and admission review request information like the user name or role. +At least one kind is required.

+ + + + + +
exclude + +
+ + + + + github.com/kyverno/kyverno/api/kyverno/v2beta1.MatchResources + + + 		+ + +

ExcludeResources defines when cleanuppolicy should not be applied. The exclude +criteria can include resource information (e.g. kind, name, namespace, labels) +and admission review request information like the name or role.

+ + + + + +
schedule + + * + +
+ + + + + string + + + 		+ + +

The schedule in Cron format

+ + + + + +
conditions + +
+ + + + + github.com/kyverno/kyverno/api/kyverno/v2beta1.AnyAllConditions + + + 		+ + +

Conditions defines the conditions used to select the resources which will be cleaned up.

+ + + + + +
+ +
status + +
+ + + + + github.com/kyverno/kyverno/api/kyverno/v2beta1.CleanupPolicyStatus + + + 		+ + +

Status contains policy runtime data.

+ + + + + +
+ + +

GlobalContextEntry +

+ + + +

GlobalContextEntry declares resources to be cached.

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
apiVersion
string		kyverno.io/v2alpha1
kind
string		GlobalContextEntry
metadata + + * + +
+ + + + + meta/v1.ObjectMeta + + + 		+ + + + + + Refer to the Kubernetes API documentation for the fields of the + metadata field. + + + +
spec + + * + +
+ + + + + + GlobalContextEntrySpec + + + + 		+ + +

Spec declares policy exception behaviors.

+ + + + + +
+
+ + + + + + + + + + + + + + + + + + + + + + +
kubernetesResource + + * + +
+ + + + + + KubernetesResource + + + + 		+ + +

KubernetesResource stores infos about kubernetes resource that should be cached

+ + + + + +
apiCall + + * + +
+ + + + + + ExternalAPICall + + + + 		+ + +

APICall stores infos about API call that should be cached

+ + + + + +
+ +
status + +
+ + + + + + GlobalContextEntryStatus + + + + 		+ + +

Status contains globalcontextentry runtime data.

+ + + + + +
+ + +

PolicyException +

+ + + +

PolicyException declares resources to be excluded from specified policies.

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
apiVersion
string		kyverno.io/v2alpha1
kind
string		PolicyException
metadata + + * + +
+ + + + + meta/v1.ObjectMeta + + + 		+ + + + + + Refer to the Kubernetes API documentation for the fields of the + metadata field. + + + +
spec + + * + +
+ + + + + github.com/kyverno/kyverno/api/kyverno/v2beta1.PolicyExceptionSpec + + + 		+ + +

Spec declares policy exception behaviors.

+ + + + + +
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
background + + * + +
+ + + + + bool + + + 		+ + +

Background controls if exceptions are applied to existing policies during a background scan. +Optional. Default value is "true". The value must be set to "false" if the policy rule +uses variables that are only available in the admission review request (e.g. user name).

+ + + + + +
match + + * + +
+ + + + + github.com/kyverno/kyverno/api/kyverno/v2beta1.MatchResources + + + 		+ + +

Match defines match clause used to check if a resource applies to the exception

+ + + + + +
conditions + +
+ + + + + github.com/kyverno/kyverno/api/kyverno/v2beta1.AnyAllConditions + + + 		+ + +

Conditions are used to determine if a resource applies to the exception by evaluating a +set of conditions. The declaration can contain nested any or all statements.

+ + + + + +
exceptions + + * + +
+ + + + + []github.com/kyverno/kyverno/api/kyverno/v2beta1.Exception + + + 		+ + +

Exceptions is a list policy/rules to be excluded

+ + + + + +
podSecurity + +
+ + + + + + []PodSecurityStandard + + + + 		+ + +

PodSecurity specifies the Pod Security Standard controls to be excluded. +Applicable only to policies that have validate.podSecurity subrule.

+ + + + + +
+ +
+ + +

ExternalAPICall +

+ + +

+ (Appears in: + GlobalContextEntrySpec) +

+ + +

ExternalAPICall stores infos about API call that should be cached

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
APICall + + * + +
+ + + + + + APICall + + + + 		+ +

(Members of APICall are embedded into this type.)

+ + + + + + + +
refreshInterval + + * + +
+ + + + + meta/v1.Duration + + + 		+ + +

RefreshInterval defines the interval in duration at which to poll the APICall

+ + + + + +
+ + +

GlobalContextEntrySpec +

+ + +

+ (Appears in: + GlobalContextEntry) +

+ + +

GlobalContextEntrySpec stores policy exception spec

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
kubernetesResource + + * + +
+ + + + + + KubernetesResource + + + + 		+ + +

KubernetesResource stores infos about kubernetes resource that should be cached

+ + + + + +
apiCall + + * + +
+ + + + + + ExternalAPICall + + + + 		+ + +

APICall stores infos about API call that should be cached

+ + + + + +
+ + +

GlobalContextEntryStatus +

+ + +

+ (Appears in: + GlobalContextEntry) +

+ + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
ready + + * + +
+ + + + + bool + + + 		+ + +

Deprecated in favor of Conditions

+ + + + + +
conditions + +
+ + + + + []meta/v1.Condition + + + 		+ + + + + + + +
+ + +

KubernetesResource +

+ + +

+ (Appears in: + GlobalContextEntrySpec) +

+ + +

KubernetesResource stores infos about kubernetes resource that should be cached

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
group + + * + +
+ + + + + string + + + 		+ + +

Group defines the group of the resource

+ + + + + +
version + + * + +
+ + + + + string + + + 		+ + +

Version defines the version of the resource

+ + + + + +
resource + + * + +
+ + + + + string + + + 		+ + +

Resource defines the type of the resource

+ + + + + +
namespace + + * + +
+ + + + + string + + + 		+ + +

Namespace defines the namespace of the resource. Leave empty for cluster scoped resources.

+ + + + + +
+ + + +
+ +
+ + diff --git a/docs/user/crd/kyverno.v2beta1.html b/docs/user/crd/kyverno.v2beta1.html new file mode 100644 index 0000000000..4ef88fc240 --- /dev/null +++ b/docs/user/crd/kyverno.v2beta1.html @@ -0,0 +1,4836 @@ + + + + + + + + + +
+ + + +

Package: kyverno.io/v2beta1

+

+ + + + + +

Resource Types:

+ + + + +

CleanupPolicy +

+ + + +

CleanupPolicy defines a rule for resource cleanup.

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
apiVersion
string		kyverno.io/v2beta1
kind
string		CleanupPolicy
metadata + + * + +
+ + + + + meta/v1.ObjectMeta + + + 		+ + + + + + Refer to the Kubernetes API documentation for the fields of the + metadata field. + + + +
spec + + * + +
+ + + + + + CleanupPolicySpec + + + + 		+ + +

Spec declares policy behaviors.

+ + + + + +
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
context + +
+ + + + + + []ContextEntry + + + + 		+ + +

Context defines variables and data sources that can be used during rule execution.

+ + + + + +
match + + * + +
+ + + + + + MatchResources + + + + 		+ + +

MatchResources defines when cleanuppolicy should be applied. The match +criteria can include resource information (e.g. kind, name, namespace, labels) +and admission review request information like the user name or role. +At least one kind is required.

+ + + + + +
exclude + +
+ + + + + + MatchResources + + + + 		+ + +

ExcludeResources defines when cleanuppolicy should not be applied. The exclude +criteria can include resource information (e.g. kind, name, namespace, labels) +and admission review request information like the name or role.

+ + + + + +
schedule + + * + +
+ + + + + string + + + 		+ + +

The schedule in Cron format

+ + + + + +
conditions + +
+ + + + + + AnyAllConditions + + + + 		+ + +

Conditions defines the conditions used to select the resources which will be cleaned up.

+ + + + + +
+ +
status + +
+ + + + + + CleanupPolicyStatus + + + + 		+ + +

Status contains policy runtime data.

+ + + + + +
+ + +

ClusterCleanupPolicy +

+ + + +

ClusterCleanupPolicy defines rule for resource cleanup.

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
apiVersion
string		kyverno.io/v2beta1
kind
string		ClusterCleanupPolicy
metadata + + * + +
+ + + + + meta/v1.ObjectMeta + + + 		+ + + + + + Refer to the Kubernetes API documentation for the fields of the + metadata field. + + + +
spec + + * + +
+ + + + + + CleanupPolicySpec + + + + 		+ + +

Spec declares policy behaviors.

+ + + + + +
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
context + +
+ + + + + + []ContextEntry + + + + 		+ + +

Context defines variables and data sources that can be used during rule execution.

+ + + + + +
match + + * + +
+ + + + + + MatchResources + + + + 		+ + +

MatchResources defines when cleanuppolicy should be applied. The match +criteria can include resource information (e.g. kind, name, namespace, labels) +and admission review request information like the user name or role. +At least one kind is required.

+ + + + + +
exclude + +
+ + + + + + MatchResources + + + + 		+ + +

ExcludeResources defines when cleanuppolicy should not be applied. The exclude +criteria can include resource information (e.g. kind, name, namespace, labels) +and admission review request information like the name or role.

+ + + + + +
schedule + + * + +
+ + + + + string + + + 		+ + +

The schedule in Cron format

+ + + + + +
conditions + +
+ + + + + + AnyAllConditions + + + + 		+ + +

Conditions defines the conditions used to select the resources which will be cleaned up.

+ + + + + +
+ +
status + +
+ + + + + + CleanupPolicyStatus + + + + 		+ + +

Status contains policy runtime data.

+ + + + + +
+ + +

ClusterPolicy +

+ + + +

ClusterPolicy declares validation, mutation, and generation behaviors for matching resources.

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
apiVersion
string		kyverno.io/v2beta1
kind
string		ClusterPolicy
metadata + + * + +
+ + + + + meta/v1.ObjectMeta + + + 		+ + + + + + Refer to the Kubernetes API documentation for the fields of the + metadata field. + + + +
spec + + * + +
+ + + + + + Spec + + + + 		+ + +

Spec declares policy behaviors.

+ + + + + +
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
rules + + * + +
+ + + + + + []Rule + + + + 		+ + +

Rules is a list of Rule instances. A Policy contains multiple rules and +each rule can validate, mutate, or generate resources.

+ + + + + +
applyRules + +
+ + + + + + ApplyRulesType + + + + 		+ + +

ApplyRules controls how rules in a policy are applied. Rule are processed in +the order of declaration. When set to One processing stops after a rule has +been applied i.e. the rule matches and results in a pass, fail, or error. When +set to All all rules in the policy are processed. The default is All.

+ + + + + +
failurePolicy + +
+ + + + + + FailurePolicyType + + + + 		+ + +

FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. +Rules within the same policy share the same failure behavior. +Allowed values are Ignore or Fail. Defaults to Fail.

+ + + + + +
validationFailureAction + +
+ + + + + + ValidationFailureAction + + + + 		+ + +

ValidationFailureAction defines if a validation policy rule violation should block +the admission review request (enforce), or allow (audit) the admission review request +and report an error in a policy report. Optional. +Allowed values are audit or enforce. The default value is "Audit".

+ + + + + +
validationFailureActionOverrides + +
+ + + + + + []ValidationFailureActionOverride + + + + 		+ + +

ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction +namespace-wise. It overrides ValidationFailureAction for the specified namespaces.

+ + + + + +
admission + +
+ + + + + bool + + + 		+ + +

Admission controls if rules are applied during admission. +Optional. Default value is "true".

+ + + + + +
background + +
+ + + + + bool + + + 		+ + +

Background controls if rules are applied to existing resources during a background scan. +Optional. Default value is "true". The value must be set to "false" if the policy rule +uses variables that are only available in the admission review request (e.g. user name).

+ + + + + +
schemaValidation + + * + +
+ + + + + bool + + + 		+ + +

Deprecated.

+ + + + + +
webhookTimeoutSeconds + + * + +
+ + + + + int32 + + + 		+ + +

WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. +After the configured time expires, the admission request may fail, or may simply ignore the policy results, +based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.

+ + + + + +
mutateExistingOnPolicyUpdate + +
+ + + + + bool + + + 		+ + +

MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. +Default value is "false".

+ + + + + +
generateExistingOnPolicyUpdate + +
+ + + + + bool + + + 		+ + +

Deprecated, use generateExisting instead

+ + + + + +
generateExisting + +
+ + + + + bool + + + 		+ + +

GenerateExisting controls whether to trigger generate rule in existing resources +If is set to "true" generate rule will be triggered and applied to existing matched resources. +Defaults to "false" if not specified.

+ + + + + +
useServerSideApply + +
+ + + + + bool + + + 		+ + +

UseServerSideApply controls whether to use server-side apply for generate rules +If is set to "true" create & update for generate rules will use apply instead of create/update. +Defaults to "false" if not specified.

+ + + + + +
webhookConfiguration + +
+ + + + + + WebhookConfiguration + + + + 		+ + +

WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration. +Requires Kubernetes 1.27 or later.

+ + + + + +
+ +
status + +
+ + + + + + PolicyStatus + + + + 		+ + +

Status contains policy runtime data.

+ + + + + +
+ + +

Policy +

+ + + +

Policy declares validation, mutation, and generation behaviors for matching resources. +See: https://kyverno.io/docs/writing-policies/ for more information.

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
apiVersion
string		kyverno.io/v2beta1
kind
string		Policy
metadata + + * + +
+ + + + + meta/v1.ObjectMeta + + + 		+ + + + + + Refer to the Kubernetes API documentation for the fields of the + metadata field. + + + +
spec + + * + +
+ + + + + + Spec + + + + 		+ + +

Spec defines policy behaviors and contains one or more rules.

+ + + + + +
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
rules + + * + +
+ + + + + + []Rule + + + + 		+ + +

Rules is a list of Rule instances. A Policy contains multiple rules and +each rule can validate, mutate, or generate resources.

+ + + + + +
applyRules + +
+ + + + + + ApplyRulesType + + + + 		+ + +

ApplyRules controls how rules in a policy are applied. Rule are processed in +the order of declaration. When set to One processing stops after a rule has +been applied i.e. the rule matches and results in a pass, fail, or error. When +set to All all rules in the policy are processed. The default is All.

+ + + + + +
failurePolicy + +
+ + + + + + FailurePolicyType + + + + 		+ + +

FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. +Rules within the same policy share the same failure behavior. +Allowed values are Ignore or Fail. Defaults to Fail.

+ + + + + +
validationFailureAction + +
+ + + + + + ValidationFailureAction + + + + 		+ + +

ValidationFailureAction defines if a validation policy rule violation should block +the admission review request (enforce), or allow (audit) the admission review request +and report an error in a policy report. Optional. +Allowed values are audit or enforce. The default value is "Audit".

+ + + + + +
validationFailureActionOverrides + +
+ + + + + + []ValidationFailureActionOverride + + + + 		+ + +

ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction +namespace-wise. It overrides ValidationFailureAction for the specified namespaces.

+ + + + + +
admission + +
+ + + + + bool + + + 		+ + +

Admission controls if rules are applied during admission. +Optional. Default value is "true".

+ + + + + +
background + +
+ + + + + bool + + + 		+ + +

Background controls if rules are applied to existing resources during a background scan. +Optional. Default value is "true". The value must be set to "false" if the policy rule +uses variables that are only available in the admission review request (e.g. user name).

+ + + + + +
schemaValidation + + * + +
+ + + + + bool + + + 		+ + +

Deprecated.

+ + + + + +
webhookTimeoutSeconds + + * + +
+ + + + + int32 + + + 		+ + +

WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. +After the configured time expires, the admission request may fail, or may simply ignore the policy results, +based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.

+ + + + + +
mutateExistingOnPolicyUpdate + +
+ + + + + bool + + + 		+ + +

MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. +Default value is "false".

+ + + + + +
generateExistingOnPolicyUpdate + +
+ + + + + bool + + + 		+ + +

Deprecated, use generateExisting instead

+ + + + + +
generateExisting + +
+ + + + + bool + + + 		+ + +

GenerateExisting controls whether to trigger generate rule in existing resources +If is set to "true" generate rule will be triggered and applied to existing matched resources. +Defaults to "false" if not specified.

+ + + + + +
useServerSideApply + +
+ + + + + bool + + + 		+ + +

UseServerSideApply controls whether to use server-side apply for generate rules +If is set to "true" create & update for generate rules will use apply instead of create/update. +Defaults to "false" if not specified.

+ + + + + +
webhookConfiguration + +
+ + + + + + WebhookConfiguration + + + + 		+ + +

WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration. +Requires Kubernetes 1.27 or later.

+ + + + + +
+ +
status + +
+ + + + + + PolicyStatus + + + + 		+ + +

Status contains policy runtime data.

+ + + + + +
+ + +

PolicyException +

+ + + +

PolicyException declares resources to be excluded from specified policies.

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
apiVersion
string		kyverno.io/v2beta1
kind
string		PolicyException
metadata + + * + +
+ + + + + meta/v1.ObjectMeta + + + 		+ + + + + + Refer to the Kubernetes API documentation for the fields of the + metadata field. + + + +
spec + + * + +
+ + + + + + PolicyExceptionSpec + + + + 		+ + +

Spec declares policy exception behaviors.

+ + + + + +
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
background + + * + +
+ + + + + bool + + + 		+ + +

Background controls if exceptions are applied to existing policies during a background scan. +Optional. Default value is "true". The value must be set to "false" if the policy rule +uses variables that are only available in the admission review request (e.g. user name).

+ + + + + +
match + + * + +
+ + + + + + MatchResources + + + + 		+ + +

Match defines match clause used to check if a resource applies to the exception

+ + + + + +
conditions + +
+ + + + + + AnyAllConditions + + + + 		+ + +

Conditions are used to determine if a resource applies to the exception by evaluating a +set of conditions. The declaration can contain nested any or all statements.

+ + + + + +
exceptions + + * + +
+ + + + + + []Exception + + + + 		+ + +

Exceptions is a list policy/rules to be excluded

+ + + + + +
podSecurity + +
+ + + + + + []PodSecurityStandard + + + + 		+ + +

PodSecurity specifies the Pod Security Standard controls to be excluded. +Applicable only to policies that have validate.podSecurity subrule.

+ + + + + +
+ +
+ + +

AnyAllConditions +

+ + +

+ (Appears in: + CleanupPolicySpec, + Deny, + PolicyExceptionSpec, + Rule) +

+ + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
any + +
+ + + + + + []Condition + + + + 		+ + +

AnyConditions enable variable-based conditional rule execution. This is useful for +finer control of when an rule is applied. A condition can reference object data +using JMESPath notation. +Here, at least one of the conditions need to pass.

+ + + + + +
all + +
+ + + + + + []Condition + + + + 		+ + +

AllConditions enable variable-based conditional rule execution. This is useful for +finer control of when an rule is applied. A condition can reference object data +using JMESPath notation. +Here, all of the conditions need to pass.

+ + + + + +
+ + +

CleanupPolicySpec +

+ + +

+ (Appears in: + CleanupPolicy, + CleanupPolicy, + ClusterCleanupPolicy, + ClusterCleanupPolicy) +

+ + +

CleanupPolicySpec stores specifications for selecting resources that the user needs to delete +and schedule when the matching resources needs deleted.

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
context + +
+ + + + + + []ContextEntry + + + + 		+ + +

Context defines variables and data sources that can be used during rule execution.

+ + + + + +
match + + * + +
+ + + + + + MatchResources + + + + 		+ + +

MatchResources defines when cleanuppolicy should be applied. The match +criteria can include resource information (e.g. kind, name, namespace, labels) +and admission review request information like the user name or role. +At least one kind is required.

+ + + + + +
exclude + +
+ + + + + + MatchResources + + + + 		+ + +

ExcludeResources defines when cleanuppolicy should not be applied. The exclude +criteria can include resource information (e.g. kind, name, namespace, labels) +and admission review request information like the name or role.

+ + + + + +
schedule + + * + +
+ + + + + string + + + 		+ + +

The schedule in Cron format

+ + + + + +
conditions + +
+ + + + + + AnyAllConditions + + + + 		+ + +

Conditions defines the conditions used to select the resources which will be cleaned up.

+ + + + + +
+ + +

CleanupPolicyStatus +

+ + +

+ (Appears in: + CleanupPolicy, + CleanupPolicy, + ClusterCleanupPolicy, + ClusterCleanupPolicy) +

+ + +

CleanupPolicyStatus stores the status of the policy.

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
conditions + + * + +
+ + + + + []meta/v1.Condition + + + 		+ + + + + + + +
lastExecutionTime + + * + +
+ + + + + meta/v1.Time + + + 		+ + + + + + + +
+ + +

Condition +

+ + +

+ (Appears in: + AnyAllConditions) +

+ + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
key + + * + +
+ + + + + k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSON + + + 		+ + +

Key is the context entry (using JMESPath) for conditional rule evaluation.

+ + + + + +
operator + + * + +
+ + + + + + ConditionOperator + + + + 		+ + +

Operator is the conditional operation to perform. Valid operators are: +Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, +GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, +DurationLessThanOrEquals, DurationLessThan

+ + + + + +
value + +
+ + + + + k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSON + + + 		+ + +

Value is the conditional value, or set of values. The values can be fixed set +or can be variables declared using JMESPath.

+ + + + + +
message + + * + +
+ + + + + string + + + 		+ + +

Message is an optional display message

+ + + + + +
+ + +

ConditionOperator + (string alias)

+ + +

+ (Appears in: + Condition) +

+ + +

ConditionOperator is the operation performed on condition key and value.

+

+ + + +

Deny +

+ + +

+ (Appears in: + Validation) +

+ + +

Deny specifies a list of conditions used to pass or fail a validation rule.

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
conditions + + * + +
+ + + + + + AnyAllConditions + + + + 		+ + +

Multiple conditions can be declared under an any or all statement. +See: https://kyverno.io/docs/writing-policies/validate/#deny-rules

+ + + + + +
+ + +

Exception +

+ + +

+ (Appears in: + PolicyExceptionSpec) +

+ + +

Exception stores infos about a policy and rules

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
policyName + + * + +
+ + + + + string + + + 		+ + +

PolicyName identifies the policy to which the exception is applied. +The policy name uses the format / unless it +references a ClusterPolicy.

+ + + + + +
ruleNames + + * + +
+ + + + + []string + + + 		+ + +

RuleNames identifies the rules to which the exception is applied.

+ + + + + +
+ + +

ImageVerification +

+ + +

+ (Appears in: + Rule) +

+ + +

ImageVerification validates that images that match the specified pattern +are signed with the supplied public key. Once the image is verified it is +mutated to include the SHA digest retrieved during the registration.

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
type + + * + +
+ + + + + + ImageVerificationType + + + + 		+ + +

Type specifies the method of signature validation. The allowed options +are Cosign and Notary. By default Cosign is used if a type is not specified.

+ + + + + +
imageReferences + + * + +
+ + + + + []string + + + 		+ + +

ImageReferences is a list of matching image reference patterns. At least one pattern in the +list must match the image for the rule to apply. Each image reference consists of a registry +address (defaults to docker.io), repository, image, and tag (defaults to latest). +Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.

+ + + + + +
skipImageReferences + + * + +
+ + + + + []string + + + 		+ + +

SkipImageReferences is a list of matching image reference patterns that should be skipped. +At least one pattern in the list must match the image for the rule to be skipped. Each image reference +consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest). +Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.

+ + + + + +
attestors + + * + +
+ + + + + + []AttestorSet + + + + 		+ + +

Attestors specified the required attestors (i.e. authorities)

+ + + + + +
attestations + + * + +
+ + + + + + []Attestation + + + + 		+ + +

Attestations are optional checks for signed in-toto Statements used to verify the image. +See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the +OCI registry and decodes them into a list of Statement declarations.

+ + + + + +
repository + + * + +
+ + + + + string + + + 		+ + +

Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. +If specified Repository will override the default OCI image repository configured for the installation. +The repository can also be overridden per Attestor or Attestation.

+ + + + + +
mutateDigest + + * + +
+ + + + + bool + + + 		+ + +

MutateDigest enables replacement of image tags with digests. +Defaults to true.

+ + + + + +
verifyDigest + + * + +
+ + + + + bool + + + 		+ + +

VerifyDigest validates that images have a digest.

+ + + + + +
required + + * + +
+ + + + + bool + + + 		+ + +

Required validates that images are verified i.e. have matched passed a signature or attestation check.

+ + + + + +
imageRegistryCredentials + + * + +
+ + + + + + ImageRegistryCredentials + + + + 		+ + +

ImageRegistryCredentials provides credentials that will be used for authentication with registry

+ + + + + +
useCache + + * + +
+ + + + + bool + + + 		+ + +

UseCache enables caching of image verify responses for this rule

+ + + + + +
+ + +

MatchResources +

+ + +

+ (Appears in: + CleanupPolicySpec, + PolicyExceptionSpec, + Rule) +

+ + +

MatchResources is used to specify resource and admission review request data for +which a policy rule is applicable.

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
any + +
+ + + + + + ResourceFilters + + + + 		+ + +

Any allows specifying resources which will be ORed

+ + + + + +
all + +
+ + + + + + ResourceFilters + + + + 		+ + +

All allows specifying resources which will be ANDed

+ + + + + +
+ + +

PolicyExceptionSpec +

+ + +

+ (Appears in: + PolicyException, + PolicyException) +

+ + +

PolicyExceptionSpec stores policy exception spec

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
background + + * + +
+ + + + + bool + + + 		+ + +

Background controls if exceptions are applied to existing policies during a background scan. +Optional. Default value is "true". The value must be set to "false" if the policy rule +uses variables that are only available in the admission review request (e.g. user name).

+ + + + + +
match + + * + +
+ + + + + + MatchResources + + + + 		+ + +

Match defines match clause used to check if a resource applies to the exception

+ + + + + +
conditions + +
+ + + + + + AnyAllConditions + + + + 		+ + +

Conditions are used to determine if a resource applies to the exception by evaluating a +set of conditions. The declaration can contain nested any or all statements.

+ + + + + +
exceptions + + * + +
+ + + + + + []Exception + + + + 		+ + +

Exceptions is a list policy/rules to be excluded

+ + + + + +
podSecurity + +
+ + + + + + []PodSecurityStandard + + + + 		+ + +

PodSecurity specifies the Pod Security Standard controls to be excluded. +Applicable only to policies that have validate.podSecurity subrule.

+ + + + + +
+ + +

ResourceDescription +

+ + +

+ (Appears in:) +

+ + +

ResourceDescription contains criteria used to match resources.

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
kinds + +
+ + + + + []string + + + 		+ + +

Kinds is a list of resource kinds.

+ + + + + +
names + +
+ + + + + []string + + + 		+ + +

Names are the names of the resources. Each name supports wildcard characters +"*" (matches zero or many characters) and "?" (at least one character).

+ + + + + +
namespaces + +
+ + + + + []string + + + 		+ + +

Namespaces is a list of namespaces names. Each name supports wildcard characters +"*" (matches zero or many characters) and "?" (at least one character).

+ + + + + +
annotations + +
+ + + + + map[string]string + + + 		+ + +

Annotations is a map of annotations (key-value pairs of type string). Annotation keys +and values support the wildcard characters "*" (matches zero or many characters) and +"?" (matches at least one character).

+ + + + + +
selector + +
+ + + + + meta/v1.LabelSelector + + + 		+ + +

Selector is a label selector. Label keys and values in matchLabels support the wildcard +characters * (matches zero or many characters) and ? (matches one character). +Wildcards allows writing label selectors like ["storage.k8s.io/": ""]. Note that +using ["" : ""] matches any key and value but does not match an empty label set.

+ + + + + +
namespaceSelector + +
+ + + + + meta/v1.LabelSelector + + + 		+ + +

NamespaceSelector is a label selector for the resource namespace. Label keys and values +in matchLabels support the wildcard characters * (matches zero or many characters) +and ? (matches one character).Wildcards allows writing label selectors like +["storage.k8s.io/": ""]. Note that using ["" : ""] matches any key and value but +does not match an empty label set.

+ + + + + +
operations + +
+ + + + + + []AdmissionOperation + + + + 		+ + +

Operations can contain values ["CREATE, "UPDATE", "CONNECT", "DELETE"], which are used to match a specific action.

+ + + + + +
+ + +

Rule +

+ + +

+ (Appears in: + Spec) +

+ + +

Rule defines a validation, mutation, or generation control for matching resources. +Each rules contains a match declaration to select resources, and an optional exclude +declaration to specify which resources to exclude.

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
name + + * + +
+ + + + + string + + + 		+ + +

Name is a label to identify the rule, It must be unique within the policy.

+ + + + + +
context + +
+ + + + + + []ContextEntry + + + + 		+ + +

Context defines variables and data sources that can be used during rule execution.

+ + + + + +
match + + * + +
+ + + + + + MatchResources + + + + 		+ + +

MatchResources defines when this policy rule should be applied. The match +criteria can include resource information (e.g. kind, name, namespace, labels) +and admission review request information like the user name or role. +At least one kind is required.

+ + + + + +
exclude + +
+ + + + + + MatchResources + + + + 		+ + +

ExcludeResources defines when this policy rule should not be applied. The exclude +criteria can include resource information (e.g. kind, name, namespace, labels) +and admission review request information like the name or role.

+ + + + + +
imageExtractors + +
+ + + + + + ImageExtractorConfigs + + + + 		+ + +

ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. +This config is only valid for verifyImages rules.

+ + + + + +
preconditions + +
+ + + + + + AnyAllConditions + + + + 		+ + +

Preconditions are used to determine if a policy rule should be applied by evaluating a +set of conditions. The declaration can contain nested any or all statements. +See: https://kyverno.io/docs/writing-policies/preconditions/

+ + + + + +
celPreconditions + +
+ + + + + []admissionregistration/v1.MatchCondition + + + 		+ + +

CELPreconditions are used to determine if a policy rule should be applied by evaluating a +set of CEL conditions. It can only be used with the validate.cel subrule

+ + + + + +
mutate + +
+ + + + + + Mutation + + + + 		+ + +

Mutation is used to modify matching resources.

+ + + + + +
validate + +
+ + + + + + Validation + + + + 		+ + +

Validation is used to validate matching resources.

+ + + + + +
generate + +
+ + + + + + Generation + + + + 		+ + +

Generation is used to create new resources.

+ + + + + +
verifyImages + +
+ + + + + + []ImageVerification + + + + 		+ + +

VerifyImages is used to verify image signatures and mutate them to add a digest

+ + + + + +
skipBackgroundRequests + + * + +
+ + + + + bool + + + 		+ + +

SkipBackgroundRequests bypasses admission requests that are sent by the background controller. +The default value is set to "true", it must be set to "false" to apply +generate and mutateExisting rules to those requests.

+ + + + + +
+ + +

Spec +

+ + +

+ (Appears in: + ClusterPolicy, + Policy) +

+ + +

Spec contains a list of Rule instances and other policy controls.

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
rules + + * + +
+ + + + + + []Rule + + + + 		+ + +

Rules is a list of Rule instances. A Policy contains multiple rules and +each rule can validate, mutate, or generate resources.

+ + + + + +
applyRules + +
+ + + + + + ApplyRulesType + + + + 		+ + +

ApplyRules controls how rules in a policy are applied. Rule are processed in +the order of declaration. When set to One processing stops after a rule has +been applied i.e. the rule matches and results in a pass, fail, or error. When +set to All all rules in the policy are processed. The default is All.

+ + + + + +
failurePolicy + +
+ + + + + + FailurePolicyType + + + + 		+ + +

FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. +Rules within the same policy share the same failure behavior. +Allowed values are Ignore or Fail. Defaults to Fail.

+ + + + + +
validationFailureAction + +
+ + + + + + ValidationFailureAction + + + + 		+ + +

ValidationFailureAction defines if a validation policy rule violation should block +the admission review request (enforce), or allow (audit) the admission review request +and report an error in a policy report. Optional. +Allowed values are audit or enforce. The default value is "Audit".

+ + + + + +
validationFailureActionOverrides + +
+ + + + + + []ValidationFailureActionOverride + + + + 		+ + +

ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction +namespace-wise. It overrides ValidationFailureAction for the specified namespaces.

+ + + + + +
admission + +
+ + + + + bool + + + 		+ + +

Admission controls if rules are applied during admission. +Optional. Default value is "true".

+ + + + + +
background + +
+ + + + + bool + + + 		+ + +

Background controls if rules are applied to existing resources during a background scan. +Optional. Default value is "true". The value must be set to "false" if the policy rule +uses variables that are only available in the admission review request (e.g. user name).

+ + + + + +
schemaValidation + + * + +
+ + + + + bool + + + 		+ + +

Deprecated.

+ + + + + +
webhookTimeoutSeconds + + * + +
+ + + + + int32 + + + 		+ + +

WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. +After the configured time expires, the admission request may fail, or may simply ignore the policy results, +based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.

+ + + + + +
mutateExistingOnPolicyUpdate + +
+ + + + + bool + + + 		+ + +

MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. +Default value is "false".

+ + + + + +
generateExistingOnPolicyUpdate + +
+ + + + + bool + + + 		+ + +

Deprecated, use generateExisting instead

+ + + + + +
generateExisting + +
+ + + + + bool + + + 		+ + +

GenerateExisting controls whether to trigger generate rule in existing resources +If is set to "true" generate rule will be triggered and applied to existing matched resources. +Defaults to "false" if not specified.

+ + + + + +
useServerSideApply + +
+ + + + + bool + + + 		+ + +

UseServerSideApply controls whether to use server-side apply for generate rules +If is set to "true" create & update for generate rules will use apply instead of create/update. +Defaults to "false" if not specified.

+ + + + + +
webhookConfiguration + +
+ + + + + + WebhookConfiguration + + + + 		+ + +

WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration. +Requires Kubernetes 1.27 or later.

+ + + + + +
+ + +

Validation +

+ + +

+ (Appears in: + Rule) +

+ + +

Validation defines checks to be performed on matching resources.

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
message + +
+ + + + + string + + + 		+ + +

Message specifies a custom message to be displayed on failure.

+ + + + + +
manifests + +
+ + + + + + Manifests + + + + 		+ + +

Manifest specifies conditions for manifest verification

+ + + + + +
foreach + +
+ + + + + + []ForEachValidation + + + + 		+ + +

ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.

+ + + + + +
pattern + +
+ + + + + k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSON + + + 		+ + +

Pattern specifies an overlay-style pattern used to check resources.

+ + + + + +
anyPattern + +
+ + + + + k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSON + + + 		+ + +

AnyPattern specifies list of validation patterns. At least one of the patterns +must be satisfied for the validation rule to succeed.

+ + + + + +
deny + +
+ + + + + + Deny + + + + 		+ + +

Deny defines conditions used to pass or fail a validation rule.

+ + + + + +
podSecurity + +
+ + + + + + PodSecurity + + + + 		+ + +

PodSecurity applies exemptions for Kubernetes Pod Security admission +by specifying exclusions for Pod Security Standards controls.

+ + + + + +
cel + +
+ + + + + + CEL + + + + 		+ + +

CEL allows validation checks using the Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).

+ + + + + +
+ + +

WebhookConfiguration +

+ + +

+ (Appears in: + Spec) +

+ + +

WebhookConfiguration specifies the configuration for Kubernetes admission webhookconfiguration.

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
matchConditions + +
+ + + + + []admissionregistration/v1.MatchCondition + + + 		+ + +

MatchCondition configures admission webhook matchConditions.

+ + + + + +
+ + + +
+ +
+ + diff --git a/docs/user/crd/kyverno_policyreport.v1alpha2.html b/docs/user/crd/kyverno_policyreport.v1alpha2.html new file mode 100644 index 0000000000..be6de085cd --- /dev/null +++ b/docs/user/crd/kyverno_policyreport.v1alpha2.html @@ -0,0 +1,1012 @@ + + + + + + + + + +
+ + + +

Package: wgpolicyk8s.io/v1alpha2

+

+ + + + + +

Resource Types:

+ + + + +

ClusterPolicyReport +

+ + + +

ClusterPolicyReport is the Schema for the clusterpolicyreports API

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
apiVersion
string		wgpolicyk8s.io/v1alpha2
kind
string		ClusterPolicyReport
metadata + + * + +
+ + + + + meta/v1.ObjectMeta + + + 		+ + + + + + Refer to the Kubernetes API documentation for the fields of the + metadata field. + + + +
scope + +
+ + + + + core/v1.ObjectReference + + + 		+ + +

Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node)

+ + + + + +
scopeSelector + +
+ + + + + meta/v1.LabelSelector + + + 		+ + +

ScopeSelector is an optional selector for multiple scopes (e.g. Pods). +Either one of, or none of, but not both of, Scope or ScopeSelector should be specified.

+ + + + + +
summary + +
+ + + + + + PolicyReportSummary + + + + 		+ + +

PolicyReportSummary provides a summary of results

+ + + + + +
results + +
+ + + + + + []PolicyReportResult + + + + 		+ + +

PolicyReportResult provides result details

+ + + + + +
+ + +

PolicyReport +

+ + + +

PolicyReport is the Schema for the policyreports API

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
apiVersion
string		wgpolicyk8s.io/v1alpha2
kind
string		PolicyReport
metadata + + * + +
+ + + + + meta/v1.ObjectMeta + + + 		+ + + + + + Refer to the Kubernetes API documentation for the fields of the + metadata field. + + + +
scope + +
+ + + + + core/v1.ObjectReference + + + 		+ + +

Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node)

+ + + + + +
scopeSelector + +
+ + + + + meta/v1.LabelSelector + + + 		+ + +

ScopeSelector is an optional selector for multiple scopes (e.g. Pods). +Either one of, or none of, but not both of, Scope or ScopeSelector should be specified.

+ + + + + +
summary + +
+ + + + + + PolicyReportSummary + + + + 		+ + +

PolicyReportSummary provides a summary of results

+ + + + + +
results + +
+ + + + + + []PolicyReportResult + + + + 		+ + +

PolicyReportResult provides result details

+ + + + + +
+ + +

PolicyReportResult +

+ + +

+ (Appears in: + ClusterPolicyReport, + PolicyReport) +

+ + +

PolicyReportResult provides the result for an individual policy

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
source + +
+ + + + + string + + + 		+ + +

Source is an identifier for the policy engine that manages this report

+ + + + + +
policy + + * + +
+ + + + + string + + + 		+ + +

Policy is the name or identifier of the policy

+ + + + + +
rule + +
+ + + + + string + + + 		+ + +

Rule is the name or identifier of the rule within the policy

+ + + + + +
resources + +
+ + + + + []core/v1.ObjectReference + + + 		+ + +

Subjects is an optional reference to the checked Kubernetes resources

+ + + + + +
resourceSelector + +
+ + + + + meta/v1.LabelSelector + + + 		+ + +

SubjectSelector is an optional label selector for checked Kubernetes resources. +For example, a policy result may apply to all pods that match a label. +Either a Subject or a SubjectSelector can be specified. +If neither are provided, the result is assumed to be for the policy report scope.

+ + + + + +
message + + * + +
+ + + + + string + + + 		+ + +

Description is a short user friendly message for the policy rule

+ + + + + +
result + + * + +
+ + + + + + PolicyResult + + + + 		+ + +

Result indicates the outcome of the policy rule execution

+ + + + + +
scored + + * + +
+ + + + + bool + + + 		+ + +

Scored indicates if this result is scored

+ + + + + +
properties + + * + +
+ + + + + map[string]string + + + 		+ + +

Properties provides additional information for the policy rule

+ + + + + +
timestamp + + * + +
+ + + + + meta/v1.Timestamp + + + 		+ + +

Timestamp indicates the time the result was found

+ + + + + +
category + +
+ + + + + string + + + 		+ + +

Category indicates policy category

+ + + + + +
severity + +
+ + + + + + PolicySeverity + + + + 		+ + +

Severity indicates policy check result criticality

+ + + + + +
+ + +

PolicyReportSummary +

+ + +

+ (Appears in: + ClusterPolicyReport, + PolicyReport) +

+ + +

PolicyReportSummary provides a status count summary

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
pass + +
+ + + + + int + + + 		+ + +

Pass provides the count of policies whose requirements were met

+ + + + + +
fail + +
+ + + + + int + + + 		+ + +

Fail provides the count of policies whose requirements were not met

+ + + + + +
warn + +
+ + + + + int + + + 		+ + +

Warn provides the count of non-scored policies whose requirements were not met

+ + + + + +
error + +
+ + + + + int + + + 		+ + +

Error provides the count of policies that could not be evaluated

+ + + + + +
skip + +
+ + + + + int + + + 		+ + +

Skip indicates the count of policies that were not selected for evaluation

+ + + + + +
+ + +

PolicyResult + (string alias)

+ + +

+ (Appears in: + PolicyReportResult) +

+ + +

PolicyResult has one of the following values:

+
    +
  • pass: indicates that the policy requirements are met
    • +
  • fail: indicates that the policy requirements are not met
    • +
  • warn: indicates that the policy requirements and not met, and the policy is not scored
    • +
  • error: indicates that the policy could not be evaluated
    • +
  • skip: indicates that the policy was not selected based on user inputs or applicability
    • +
+

+ + + +

PolicySeverity + (string alias)

+ + +

+ (Appears in: + PolicyReportResult) +

+ + +

PolicySeverity has one of the following values:

+
    +
  • critical
    • +
  • high
    • +
  • low
    • +
  • medium
    • +
  • info
    • +
+

+ + + + +
+ +
+ + diff --git a/docs/user/html/members.tpl b/docs/user/html/members.tpl new file mode 100644 index 0000000000..77fc0235f3 --- /dev/null +++ b/docs/user/html/members.tpl @@ -0,0 +1,48 @@ +{{ define "members" }} + + {{/* . is a apiType */}} + {{ range .GetMembers }} + {{/* . is a apiMember */}} + {{ if not .Hidden }} + + {{ .FieldName }} + {{ if not .IsOptional }} + * + {{ end }} +
+ + {{/* Link for type reference */}} + {{ with .GetType }} + {{ if .Link }} + + {{ .DisplayName }} + + {{ else }} + {{ .DisplayName }} + {{ end }} + {{ end }} + + + {{ if .IsInline }} +

(Members of {{ .FieldName }} are embedded into this type.)

+ {{ end}} + + {{ .GetComment }} + + {{ if and (eq (.GetType.Name.Name) "ObjectMeta") }} + Refer to the Kubernetes API documentation for the fields of the + metadata field. + {{ end }} + + {{ if or (eq .FieldName "spec") }} +
+
+ + {{ template "members" .GetType }} +
+ {{ end }} + + + {{ end }} + {{ end }} +{{ end }} diff --git a/docs/user/html/pkg.tpl b/docs/user/html/pkg.tpl new file mode 100644 index 0000000000..eceb065be8 --- /dev/null +++ b/docs/user/html/pkg.tpl @@ -0,0 +1,56 @@ +{{ define "packages" }} + + + + + + + + +
+ {{ range .packages }} + {{/* Only display package that has a group name */}} + {{ if ne .GroupName "" }} +

Package: {{- .DisplayName -}}

+

{{ .GetComment }}

+ {{ end }} + {{ end }} + {{ range .packages }} + {{ if ne .GroupName "" }} + {{/* TODO: Make the following line conditional */}} +

Resource Types:

+
    + {{- range .VisibleTypes -}} + {{ if .IsExported -}} +
  • + {{ .DisplayName }} +
    • + {{- end }} + {{- end -}} +
+ + {{/* For package with a group name, list all type definitions in it. */}} + {{ range .VisibleTypes }} + {{- if or .Referenced .IsExported -}} + {{ template "type" . }} + {{- end -}} + {{ end }} + {{ else }} + {{/* For package without a group name, list only type definitions that are referenced. */}} + {{ range .VisibleTypes }} + {{ if .Referenced }} + {{ template "type" . }} + {{ end }} + {{ end }} + {{ end }} +
+ {{ end }} +
+ + +{{ end }} diff --git a/docs/user/html/type.tpl b/docs/user/html/type.tpl new file mode 100644 index 0000000000..f607deceb0 --- /dev/null +++ b/docs/user/html/type.tpl @@ -0,0 +1,52 @@ +{{ define "type" }} +

+ {{- .Name.Name }} + {{ if eq .Kind "Alias" }}({{ .Underlying }} alias)

{{ end -}} +

+ + {{ with .References }} +

+ (Appears in: + {{- $prev := "" -}} + {{- range . -}} + {{- if or .Referenced .IsExported -}} + {{- if $prev -}}, {{ end -}} + {{ $prev = . }} + {{ .DisplayName }} + {{- end }} + {{- end -}} + ) +

+ {{ end }} + +

{{ .GetComment }}

+ + {{ if .GetMembers }} + + + + + + + + + {{/* . is a apiType */}} + {{ if .IsExported }} + {{/* Add apiVersion and kind rows if deemed necessary */}} + + + + + + + + + {{ end }} + + {{/* The actual list of members is in the following template */}} + {{ template "members" .}} + + +
FieldDescription
apiVersion
string		{{ .APIGroup }}
kind
string		{{ .Name.Name }}
+ {{ end }} +{{ end }}