diff --git a/api/policyreport/v1alpha2/policyreport_types.go b/api/policyreport/v1alpha2/policyreport_types.go index bab99c9eac..3ab5a17353 100644 --- a/api/policyreport/v1alpha2/policyreport_types.go +++ b/api/policyreport/v1alpha2/policyreport_types.go @@ -34,9 +34,11 @@ const ( // Severity specifies priority of a policy result const ( - SeverityHigh = "high" - SeverityMedium = "medium" - SeverityLow = "low" + SeverityCritical = "critical" + SeverityHigh = "high" + SeverityMedium = "medium" + SeverityLow = "low" + SeverityInfo = "info" ) // PolicyReportSummary provides a status count summary @@ -49,7 +51,7 @@ type PolicyReportSummary struct { // +optional Fail int `json:"fail"` - // Warn provides the count of unscored policies whose requirements were not met + // Warn provides the count of non-scored policies whose requirements were not met // +optional Warn int `json:"warn"` @@ -80,10 +82,12 @@ func (prs PolicyReportSummary) ToMap() map[string]interface{} { type PolicyResult string // PolicySeverity has one of the following values: +// - critical // - high // - low // - medium -// +kubebuilder:validation:Enum=high;low;medium +// - info +// +kubebuilder:validation:Enum=critical;high;low;medium;info type PolicySeverity string // PolicyReportResult provides the result for an individual policy @@ -92,31 +96,31 @@ type PolicyReportResult struct { // +optional Source string `json:"source"` - // Policy is the name of the policy + // Policy is the name or identifier of the policy Policy string `json:"policy"` - // Rule is the name of the policy rule + // Rule is the name or identifier of the rule within the policy // +optional Rule string `json:"rule,omitempty"` - // Resources is an optional reference to the resource checked by the policy and rule + // Subjects is an optional reference to the checked Kubernetes resources // +optional Resources []corev1.ObjectReference `json:"resources,omitempty"` - // ResourceSelector is an optional selector for policy results that apply to multiple resources. + // SubjectSelector is an optional label selector for checked Kubernetes resources. // For example, a policy result may apply to all pods that match a label. - // Either a Resource or a ResourceSelector can be specified. If neither are provided, the - // result is assumed to be for the policy report scope. + // Either a Subject or a SubjectSelector can be specified. + // If neither are provided, the result is assumed to be for the policy report scope. // +optional ResourceSelector *metav1.LabelSelector `json:"resourceSelector,omitempty"` - // Message is a short user friendly description of the policy rule + // Description is a short user friendly message for the policy rule Message string `json:"message,omitempty"` // Result indicates the outcome of the policy rule execution Result PolicyResult `json:"result,omitempty"` - // Scored indicates if this policy rule is scored + // Scored indicates if this result is scored Scored bool `json:"scored,omitempty"` // Properties provides additional information for the policy rule @@ -129,7 +133,7 @@ type PolicyReportResult struct { // +optional Category string `json:"category,omitempty"` - // Severity indicates policy severity + // Severity indicates policy check result criticality // +optional Severity PolicySeverity `json:"severity,omitempty"` } diff --git a/charts/kyverno/templates/crds.yaml b/charts/kyverno/templates/crds.yaml index 7679c89581..73b88e062d 100644 --- a/charts/kyverno/templates/crds.yaml +++ b/charts/kyverno/templates/crds.yaml @@ -3184,10 +3184,10 @@ spec: description: Category indicates policy category type: string message: - description: Message is a short user friendly description of the policy rule + description: Description is a short user friendly message for the policy rule type: string policy: - description: Policy is the name of the policy + description: Policy is the name or identifier of the policy type: string properties: additionalProperties: @@ -3195,7 +3195,7 @@ spec: description: Properties provides additional information for the policy rule type: object resourceSelector: - description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. + description: SubjectSelector is an optional label selector for checked Kubernetes resources. For example, a policy result may apply to all pods that match a label. Either a Subject or a SubjectSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. @@ -3226,7 +3226,7 @@ spec: type: object x-kubernetes-map-type: atomic resources: - description: Resources is an optional reference to the resource checked by the policy and rule + description: Subjects is an optional reference to the checked Kubernetes resources items: description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: @@ -3264,17 +3264,19 @@ spec: - skip type: string rule: - description: Rule is the name of the policy rule + description: Rule is the name or identifier of the rule within the policy type: string scored: - description: Scored indicates if this policy rule is scored + description: Scored indicates if this result is scored type: boolean severity: - description: Severity indicates policy severity + description: Severity indicates policy check result criticality enum: + - critical - high - low - medium + - info type: string source: description: Source is an identifier for the policy engine that manages this report @@ -3371,7 +3373,7 @@ spec: description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements were not met + description: Warn provides the count of non-scored policies whose requirements were not met type: integer type: object type: object @@ -3454,10 +3456,10 @@ spec: description: Category indicates policy category type: string message: - description: Message is a short user friendly description of the policy rule + description: Description is a short user friendly message for the policy rule type: string policy: - description: Policy is the name of the policy + description: Policy is the name or identifier of the policy type: string properties: additionalProperties: @@ -3465,7 +3467,7 @@ spec: description: Properties provides additional information for the policy rule type: object resourceSelector: - description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. + description: SubjectSelector is an optional label selector for checked Kubernetes resources. For example, a policy result may apply to all pods that match a label. Either a Subject or a SubjectSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. @@ -3496,7 +3498,7 @@ spec: type: object x-kubernetes-map-type: atomic resources: - description: Resources is an optional reference to the resource checked by the policy and rule + description: Subjects is an optional reference to the checked Kubernetes resources items: description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: @@ -3534,17 +3536,19 @@ spec: - skip type: string rule: - description: Rule is the name of the policy rule + description: Rule is the name or identifier of the rule within the policy type: string scored: - description: Scored indicates if this policy rule is scored + description: Scored indicates if this result is scored type: boolean severity: - description: Severity indicates policy severity + description: Severity indicates policy check result criticality enum: + - critical - high - low - medium + - info type: string source: description: Source is an identifier for the policy engine that manages this report @@ -3641,7 +3645,7 @@ spec: description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements were not met + description: Warn provides the count of non-scored policies whose requirements were not met type: integer type: object type: object @@ -7009,10 +7013,10 @@ spec: description: Category indicates policy category type: string message: - description: Message is a short user friendly description of the policy rule + description: Description is a short user friendly message for the policy rule type: string policy: - description: Policy is the name of the policy + description: Policy is the name or identifier of the policy type: string properties: additionalProperties: @@ -7020,7 +7024,7 @@ spec: description: Properties provides additional information for the policy rule type: object resourceSelector: - description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. + description: SubjectSelector is an optional label selector for checked Kubernetes resources. For example, a policy result may apply to all pods that match a label. Either a Subject or a SubjectSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. @@ -7051,7 +7055,7 @@ spec: type: object x-kubernetes-map-type: atomic resources: - description: Resources is an optional reference to the resource checked by the policy and rule + description: Subjects is an optional reference to the checked Kubernetes resources items: description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: @@ -7089,17 +7093,19 @@ spec: - skip type: string rule: - description: Rule is the name of the policy rule + description: Rule is the name or identifier of the rule within the policy type: string scored: - description: Scored indicates if this policy rule is scored + description: Scored indicates if this result is scored type: boolean severity: - description: Severity indicates policy severity + description: Severity indicates policy check result criticality enum: + - critical - high - low - medium + - info type: string source: description: Source is an identifier for the policy engine that manages this report @@ -7196,7 +7202,7 @@ spec: description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements were not met + description: Warn provides the count of non-scored policies whose requirements were not met type: integer type: object type: object @@ -7279,10 +7285,10 @@ spec: description: Category indicates policy category type: string message: - description: Message is a short user friendly description of the policy rule + description: Description is a short user friendly message for the policy rule type: string policy: - description: Policy is the name of the policy + description: Policy is the name or identifier of the policy type: string properties: additionalProperties: @@ -7290,7 +7296,7 @@ spec: description: Properties provides additional information for the policy rule type: object resourceSelector: - description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. + description: SubjectSelector is an optional label selector for checked Kubernetes resources. For example, a policy result may apply to all pods that match a label. Either a Subject or a SubjectSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. @@ -7321,7 +7327,7 @@ spec: type: object x-kubernetes-map-type: atomic resources: - description: Resources is an optional reference to the resource checked by the policy and rule + description: Subjects is an optional reference to the checked Kubernetes resources items: description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: @@ -7359,17 +7365,19 @@ spec: - skip type: string rule: - description: Rule is the name of the policy rule + description: Rule is the name or identifier of the rule within the policy type: string scored: - description: Scored indicates if this policy rule is scored + description: Scored indicates if this result is scored type: boolean severity: - description: Severity indicates policy severity + description: Severity indicates policy check result criticality enum: + - critical - high - low - medium + - info type: string source: description: Source is an identifier for the policy engine that manages this report @@ -7466,7 +7474,7 @@ spec: description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements were not met + description: Warn provides the count of non-scored policies whose requirements were not met type: integer type: object type: object diff --git a/config/crds/kyverno.io_clusterreportchangerequests.yaml b/config/crds/kyverno.io_clusterreportchangerequests.yaml index 2c363c89ae..b562f35b5a 100644 --- a/config/crds/kyverno.io_clusterreportchangerequests.yaml +++ b/config/crds/kyverno.io_clusterreportchangerequests.yaml @@ -72,11 +72,11 @@ spec: description: Category indicates policy category type: string message: - description: Message is a short user friendly description of the + description: Description is a short user friendly message for the policy rule type: string policy: - description: Policy is the name of the policy + description: Policy is the name or identifier of the policy type: string properties: additionalProperties: @@ -85,11 +85,11 @@ spec: policy rule type: object resourceSelector: - description: ResourceSelector is an optional selector for policy - results that apply to multiple resources. For example, a policy - result may apply to all pods that match a label. Either a Resource - or a ResourceSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: SubjectSelector is an optional label selector for checked + Kubernetes resources. For example, a policy result may apply to + all pods that match a label. Either a Subject or a SubjectSelector + can be specified. If neither are provided, the result is assumed + to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. @@ -134,8 +134,8 @@ spec: type: object x-kubernetes-map-type: atomic resources: - description: Resources is an optional reference to the resource - checked by the policy and rule + description: Subjects is an optional reference to the checked Kubernetes + resources items: description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this @@ -208,17 +208,20 @@ spec: - skip type: string rule: - description: Rule is the name of the policy rule + description: Rule is the name or identifier of the rule within the + policy type: string scored: - description: Scored indicates if this policy rule is scored + description: Scored indicates if this result is scored type: boolean severity: - description: Severity indicates policy severity + description: Severity indicates policy check result criticality enum: + - critical - high - low - medium + - info type: string source: description: Source is an identifier for the policy engine that @@ -350,8 +353,8 @@ spec: for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements - were not met + description: Warn provides the count of non-scored policies whose + requirements were not met type: integer type: object type: object diff --git a/config/crds/kyverno.io_reportchangerequests.yaml b/config/crds/kyverno.io_reportchangerequests.yaml index 43c62a5b50..9149c66a5d 100644 --- a/config/crds/kyverno.io_reportchangerequests.yaml +++ b/config/crds/kyverno.io_reportchangerequests.yaml @@ -72,11 +72,11 @@ spec: description: Category indicates policy category type: string message: - description: Message is a short user friendly description of the + description: Description is a short user friendly message for the policy rule type: string policy: - description: Policy is the name of the policy + description: Policy is the name or identifier of the policy type: string properties: additionalProperties: @@ -85,11 +85,11 @@ spec: policy rule type: object resourceSelector: - description: ResourceSelector is an optional selector for policy - results that apply to multiple resources. For example, a policy - result may apply to all pods that match a label. Either a Resource - or a ResourceSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: SubjectSelector is an optional label selector for checked + Kubernetes resources. For example, a policy result may apply to + all pods that match a label. Either a Subject or a SubjectSelector + can be specified. If neither are provided, the result is assumed + to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. @@ -134,8 +134,8 @@ spec: type: object x-kubernetes-map-type: atomic resources: - description: Resources is an optional reference to the resource - checked by the policy and rule + description: Subjects is an optional reference to the checked Kubernetes + resources items: description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this @@ -208,17 +208,20 @@ spec: - skip type: string rule: - description: Rule is the name of the policy rule + description: Rule is the name or identifier of the rule within the + policy type: string scored: - description: Scored indicates if this policy rule is scored + description: Scored indicates if this result is scored type: boolean severity: - description: Severity indicates policy severity + description: Severity indicates policy check result criticality enum: + - critical - high - low - medium + - info type: string source: description: Source is an identifier for the policy engine that @@ -350,8 +353,8 @@ spec: for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements - were not met + description: Warn provides the count of non-scored policies whose + requirements were not met type: integer type: object type: object diff --git a/config/crds/wgpolicyk8s.io_clusterpolicyreports.yaml b/config/crds/wgpolicyk8s.io_clusterpolicyreports.yaml index 6f071f966e..f00c856125 100644 --- a/config/crds/wgpolicyk8s.io_clusterpolicyreports.yaml +++ b/config/crds/wgpolicyk8s.io_clusterpolicyreports.yaml @@ -72,11 +72,11 @@ spec: description: Category indicates policy category type: string message: - description: Message is a short user friendly description of the + description: Description is a short user friendly message for the policy rule type: string policy: - description: Policy is the name of the policy + description: Policy is the name or identifier of the policy type: string properties: additionalProperties: @@ -85,11 +85,11 @@ spec: policy rule type: object resourceSelector: - description: ResourceSelector is an optional selector for policy - results that apply to multiple resources. For example, a policy - result may apply to all pods that match a label. Either a Resource - or a ResourceSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: SubjectSelector is an optional label selector for checked + Kubernetes resources. For example, a policy result may apply to + all pods that match a label. Either a Subject or a SubjectSelector + can be specified. If neither are provided, the result is assumed + to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. @@ -134,8 +134,8 @@ spec: type: object x-kubernetes-map-type: atomic resources: - description: Resources is an optional reference to the resource - checked by the policy and rule + description: Subjects is an optional reference to the checked Kubernetes + resources items: description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this @@ -208,17 +208,20 @@ spec: - skip type: string rule: - description: Rule is the name of the policy rule + description: Rule is the name or identifier of the rule within the + policy type: string scored: - description: Scored indicates if this policy rule is scored + description: Scored indicates if this result is scored type: boolean severity: - description: Severity indicates policy severity + description: Severity indicates policy check result criticality enum: + - critical - high - low - medium + - info type: string source: description: Source is an identifier for the policy engine that @@ -350,8 +353,8 @@ spec: for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements - were not met + description: Warn provides the count of non-scored policies whose + requirements were not met type: integer type: object type: object diff --git a/config/crds/wgpolicyk8s.io_policyreports.yaml b/config/crds/wgpolicyk8s.io_policyreports.yaml index 5969007168..78ddf485fa 100644 --- a/config/crds/wgpolicyk8s.io_policyreports.yaml +++ b/config/crds/wgpolicyk8s.io_policyreports.yaml @@ -71,11 +71,11 @@ spec: description: Category indicates policy category type: string message: - description: Message is a short user friendly description of the + description: Description is a short user friendly message for the policy rule type: string policy: - description: Policy is the name of the policy + description: Policy is the name or identifier of the policy type: string properties: additionalProperties: @@ -84,11 +84,11 @@ spec: policy rule type: object resourceSelector: - description: ResourceSelector is an optional selector for policy - results that apply to multiple resources. For example, a policy - result may apply to all pods that match a label. Either a Resource - or a ResourceSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: SubjectSelector is an optional label selector for checked + Kubernetes resources. For example, a policy result may apply to + all pods that match a label. Either a Subject or a SubjectSelector + can be specified. If neither are provided, the result is assumed + to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. @@ -133,8 +133,8 @@ spec: type: object x-kubernetes-map-type: atomic resources: - description: Resources is an optional reference to the resource - checked by the policy and rule + description: Subjects is an optional reference to the checked Kubernetes + resources items: description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this @@ -207,17 +207,20 @@ spec: - skip type: string rule: - description: Rule is the name of the policy rule + description: Rule is the name or identifier of the rule within the + policy type: string scored: - description: Scored indicates if this policy rule is scored + description: Scored indicates if this result is scored type: boolean severity: - description: Severity indicates policy severity + description: Severity indicates policy check result criticality enum: + - critical - high - low - medium + - info type: string source: description: Source is an identifier for the policy engine that @@ -349,8 +352,8 @@ spec: for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements - were not met + description: Warn provides the count of non-scored policies whose + requirements were not met type: integer type: object type: object diff --git a/config/install.yaml b/config/install.yaml index 08e46bb577..72b2951bb8 100644 --- a/config/install.yaml +++ b/config/install.yaml @@ -5158,11 +5158,11 @@ spec: description: Category indicates policy category type: string message: - description: Message is a short user friendly description of the + description: Description is a short user friendly message for the policy rule type: string policy: - description: Policy is the name of the policy + description: Policy is the name or identifier of the policy type: string properties: additionalProperties: @@ -5171,11 +5171,11 @@ spec: policy rule type: object resourceSelector: - description: ResourceSelector is an optional selector for policy - results that apply to multiple resources. For example, a policy - result may apply to all pods that match a label. Either a Resource - or a ResourceSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: SubjectSelector is an optional label selector for checked + Kubernetes resources. For example, a policy result may apply to + all pods that match a label. Either a Subject or a SubjectSelector + can be specified. If neither are provided, the result is assumed + to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. @@ -5220,8 +5220,8 @@ spec: type: object x-kubernetes-map-type: atomic resources: - description: Resources is an optional reference to the resource - checked by the policy and rule + description: Subjects is an optional reference to the checked Kubernetes + resources items: description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this @@ -5294,17 +5294,20 @@ spec: - skip type: string rule: - description: Rule is the name of the policy rule + description: Rule is the name or identifier of the rule within the + policy type: string scored: - description: Scored indicates if this policy rule is scored + description: Scored indicates if this result is scored type: boolean severity: - description: Severity indicates policy severity + description: Severity indicates policy check result criticality enum: + - critical - high - low - medium + - info type: string source: description: Source is an identifier for the policy engine that @@ -5436,8 +5439,8 @@ spec: for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements - were not met + description: Warn provides the count of non-scored policies whose + requirements were not met type: integer type: object type: object @@ -5524,11 +5527,11 @@ spec: description: Category indicates policy category type: string message: - description: Message is a short user friendly description of the + description: Description is a short user friendly message for the policy rule type: string policy: - description: Policy is the name of the policy + description: Policy is the name or identifier of the policy type: string properties: additionalProperties: @@ -5537,11 +5540,11 @@ spec: policy rule type: object resourceSelector: - description: ResourceSelector is an optional selector for policy - results that apply to multiple resources. For example, a policy - result may apply to all pods that match a label. Either a Resource - or a ResourceSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: SubjectSelector is an optional label selector for checked + Kubernetes resources. For example, a policy result may apply to + all pods that match a label. Either a Subject or a SubjectSelector + can be specified. If neither are provided, the result is assumed + to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. @@ -5586,8 +5589,8 @@ spec: type: object x-kubernetes-map-type: atomic resources: - description: Resources is an optional reference to the resource - checked by the policy and rule + description: Subjects is an optional reference to the checked Kubernetes + resources items: description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this @@ -5660,17 +5663,20 @@ spec: - skip type: string rule: - description: Rule is the name of the policy rule + description: Rule is the name or identifier of the rule within the + policy type: string scored: - description: Scored indicates if this policy rule is scored + description: Scored indicates if this result is scored type: boolean severity: - description: Severity indicates policy severity + description: Severity indicates policy check result criticality enum: + - critical - high - low - medium + - info type: string source: description: Source is an identifier for the policy engine that @@ -5802,8 +5808,8 @@ spec: for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements - were not met + description: Warn provides the count of non-scored policies whose + requirements were not met type: integer type: object type: object @@ -11150,11 +11156,11 @@ spec: description: Category indicates policy category type: string message: - description: Message is a short user friendly description of the + description: Description is a short user friendly message for the policy rule type: string policy: - description: Policy is the name of the policy + description: Policy is the name or identifier of the policy type: string properties: additionalProperties: @@ -11163,11 +11169,11 @@ spec: policy rule type: object resourceSelector: - description: ResourceSelector is an optional selector for policy - results that apply to multiple resources. For example, a policy - result may apply to all pods that match a label. Either a Resource - or a ResourceSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: SubjectSelector is an optional label selector for checked + Kubernetes resources. For example, a policy result may apply to + all pods that match a label. Either a Subject or a SubjectSelector + can be specified. If neither are provided, the result is assumed + to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. @@ -11212,8 +11218,8 @@ spec: type: object x-kubernetes-map-type: atomic resources: - description: Resources is an optional reference to the resource - checked by the policy and rule + description: Subjects is an optional reference to the checked Kubernetes + resources items: description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this @@ -11286,17 +11292,20 @@ spec: - skip type: string rule: - description: Rule is the name of the policy rule + description: Rule is the name or identifier of the rule within the + policy type: string scored: - description: Scored indicates if this policy rule is scored + description: Scored indicates if this result is scored type: boolean severity: - description: Severity indicates policy severity + description: Severity indicates policy check result criticality enum: + - critical - high - low - medium + - info type: string source: description: Source is an identifier for the policy engine that @@ -11428,8 +11437,8 @@ spec: for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements - were not met + description: Warn provides the count of non-scored policies whose + requirements were not met type: integer type: object type: object @@ -11516,11 +11525,11 @@ spec: description: Category indicates policy category type: string message: - description: Message is a short user friendly description of the + description: Description is a short user friendly message for the policy rule type: string policy: - description: Policy is the name of the policy + description: Policy is the name or identifier of the policy type: string properties: additionalProperties: @@ -11529,11 +11538,11 @@ spec: policy rule type: object resourceSelector: - description: ResourceSelector is an optional selector for policy - results that apply to multiple resources. For example, a policy - result may apply to all pods that match a label. Either a Resource - or a ResourceSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: SubjectSelector is an optional label selector for checked + Kubernetes resources. For example, a policy result may apply to + all pods that match a label. Either a Subject or a SubjectSelector + can be specified. If neither are provided, the result is assumed + to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. @@ -11578,8 +11587,8 @@ spec: type: object x-kubernetes-map-type: atomic resources: - description: Resources is an optional reference to the resource - checked by the policy and rule + description: Subjects is an optional reference to the checked Kubernetes + resources items: description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this @@ -11652,17 +11661,20 @@ spec: - skip type: string rule: - description: Rule is the name of the policy rule + description: Rule is the name or identifier of the rule within the + policy type: string scored: - description: Scored indicates if this policy rule is scored + description: Scored indicates if this result is scored type: boolean severity: - description: Severity indicates policy severity + description: Severity indicates policy check result criticality enum: + - critical - high - low - medium + - info type: string source: description: Source is an identifier for the policy engine that @@ -11794,8 +11806,8 @@ spec: for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements - were not met + description: Warn provides the count of non-scored policies whose + requirements were not met type: integer type: object type: object @@ -12378,7 +12390,8 @@ metadata: name: kyverno:events rules: - apiGroups: - - '*' + - "" + - events.k8s.io resources: - events verbs: diff --git a/config/install_debug.yaml b/config/install_debug.yaml index c3df762097..c436701c49 100755 --- a/config/install_debug.yaml +++ b/config/install_debug.yaml @@ -5155,11 +5155,11 @@ spec: description: Category indicates policy category type: string message: - description: Message is a short user friendly description of the + description: Description is a short user friendly message for the policy rule type: string policy: - description: Policy is the name of the policy + description: Policy is the name or identifier of the policy type: string properties: additionalProperties: @@ -5168,11 +5168,11 @@ spec: policy rule type: object resourceSelector: - description: ResourceSelector is an optional selector for policy - results that apply to multiple resources. For example, a policy - result may apply to all pods that match a label. Either a Resource - or a ResourceSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: SubjectSelector is an optional label selector for checked + Kubernetes resources. For example, a policy result may apply to + all pods that match a label. Either a Subject or a SubjectSelector + can be specified. If neither are provided, the result is assumed + to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. @@ -5217,8 +5217,8 @@ spec: type: object x-kubernetes-map-type: atomic resources: - description: Resources is an optional reference to the resource - checked by the policy and rule + description: Subjects is an optional reference to the checked Kubernetes + resources items: description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this @@ -5291,17 +5291,20 @@ spec: - skip type: string rule: - description: Rule is the name of the policy rule + description: Rule is the name or identifier of the rule within the + policy type: string scored: - description: Scored indicates if this policy rule is scored + description: Scored indicates if this result is scored type: boolean severity: - description: Severity indicates policy severity + description: Severity indicates policy check result criticality enum: + - critical - high - low - medium + - info type: string source: description: Source is an identifier for the policy engine that @@ -5433,8 +5436,8 @@ spec: for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements - were not met + description: Warn provides the count of non-scored policies whose + requirements were not met type: integer type: object type: object @@ -5520,11 +5523,11 @@ spec: description: Category indicates policy category type: string message: - description: Message is a short user friendly description of the + description: Description is a short user friendly message for the policy rule type: string policy: - description: Policy is the name of the policy + description: Policy is the name or identifier of the policy type: string properties: additionalProperties: @@ -5533,11 +5536,11 @@ spec: policy rule type: object resourceSelector: - description: ResourceSelector is an optional selector for policy - results that apply to multiple resources. For example, a policy - result may apply to all pods that match a label. Either a Resource - or a ResourceSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: SubjectSelector is an optional label selector for checked + Kubernetes resources. For example, a policy result may apply to + all pods that match a label. Either a Subject or a SubjectSelector + can be specified. If neither are provided, the result is assumed + to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. @@ -5582,8 +5585,8 @@ spec: type: object x-kubernetes-map-type: atomic resources: - description: Resources is an optional reference to the resource - checked by the policy and rule + description: Subjects is an optional reference to the checked Kubernetes + resources items: description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this @@ -5656,17 +5659,20 @@ spec: - skip type: string rule: - description: Rule is the name of the policy rule + description: Rule is the name or identifier of the rule within the + policy type: string scored: - description: Scored indicates if this policy rule is scored + description: Scored indicates if this result is scored type: boolean severity: - description: Severity indicates policy severity + description: Severity indicates policy check result criticality enum: + - critical - high - low - medium + - info type: string source: description: Source is an identifier for the policy engine that @@ -5798,8 +5804,8 @@ spec: for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements - were not met + description: Warn provides the count of non-scored policies whose + requirements were not met type: integer type: object type: object @@ -11143,11 +11149,11 @@ spec: description: Category indicates policy category type: string message: - description: Message is a short user friendly description of the + description: Description is a short user friendly message for the policy rule type: string policy: - description: Policy is the name of the policy + description: Policy is the name or identifier of the policy type: string properties: additionalProperties: @@ -11156,11 +11162,11 @@ spec: policy rule type: object resourceSelector: - description: ResourceSelector is an optional selector for policy - results that apply to multiple resources. For example, a policy - result may apply to all pods that match a label. Either a Resource - or a ResourceSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: SubjectSelector is an optional label selector for checked + Kubernetes resources. For example, a policy result may apply to + all pods that match a label. Either a Subject or a SubjectSelector + can be specified. If neither are provided, the result is assumed + to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. @@ -11205,8 +11211,8 @@ spec: type: object x-kubernetes-map-type: atomic resources: - description: Resources is an optional reference to the resource - checked by the policy and rule + description: Subjects is an optional reference to the checked Kubernetes + resources items: description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this @@ -11279,17 +11285,20 @@ spec: - skip type: string rule: - description: Rule is the name of the policy rule + description: Rule is the name or identifier of the rule within the + policy type: string scored: - description: Scored indicates if this policy rule is scored + description: Scored indicates if this result is scored type: boolean severity: - description: Severity indicates policy severity + description: Severity indicates policy check result criticality enum: + - critical - high - low - medium + - info type: string source: description: Source is an identifier for the policy engine that @@ -11421,8 +11430,8 @@ spec: for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements - were not met + description: Warn provides the count of non-scored policies whose + requirements were not met type: integer type: object type: object @@ -11508,11 +11517,11 @@ spec: description: Category indicates policy category type: string message: - description: Message is a short user friendly description of the + description: Description is a short user friendly message for the policy rule type: string policy: - description: Policy is the name of the policy + description: Policy is the name or identifier of the policy type: string properties: additionalProperties: @@ -11521,11 +11530,11 @@ spec: policy rule type: object resourceSelector: - description: ResourceSelector is an optional selector for policy - results that apply to multiple resources. For example, a policy - result may apply to all pods that match a label. Either a Resource - or a ResourceSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: SubjectSelector is an optional label selector for checked + Kubernetes resources. For example, a policy result may apply to + all pods that match a label. Either a Subject or a SubjectSelector + can be specified. If neither are provided, the result is assumed + to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. @@ -11570,8 +11579,8 @@ spec: type: object x-kubernetes-map-type: atomic resources: - description: Resources is an optional reference to the resource - checked by the policy and rule + description: Subjects is an optional reference to the checked Kubernetes + resources items: description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this @@ -11644,17 +11653,20 @@ spec: - skip type: string rule: - description: Rule is the name of the policy rule + description: Rule is the name or identifier of the rule within the + policy type: string scored: - description: Scored indicates if this policy rule is scored + description: Scored indicates if this result is scored type: boolean severity: - description: Severity indicates policy severity + description: Severity indicates policy check result criticality enum: + - critical - high - low - medium + - info type: string source: description: Source is an identifier for the policy engine that @@ -11786,8 +11798,8 @@ spec: for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements - were not met + description: Warn provides the count of non-scored policies whose + requirements were not met type: integer type: object type: object @@ -12361,7 +12373,8 @@ metadata: name: kyverno:events rules: - apiGroups: - - '*' + - "" + - events.k8s.io resources: - events verbs: