From 5dcf37141b4084bafab9996a5fc7a07bf33132ac Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Sat, 12 Dec 2020 21:19:37 -0800 Subject: [PATCH 1/5] allow generate with no data/status --- pkg/generate/generate.go | 19 +++++++++++-------- pkg/policy/generate/validate.go | 6 +++++- 2 files changed, 16 insertions(+), 9 deletions(-) diff --git a/pkg/generate/generate.go b/pkg/generate/generate.go index 62d01a33d1..1fb3356dd0 100644 --- a/pkg/generate/generate.go +++ b/pkg/generate/generate.go @@ -318,20 +318,24 @@ func applyRule(log logr.Logger, client *dclient.Client, rule kyverno.Rule, resou Name: genName, } - genData, _, err := unstructured.NestedMap(genUnst.Object, "data") + genData, found, err := unstructured.NestedMap(genUnst.Object, "data") if err != nil { return noGenResource, err } - genCopy, _, err := unstructured.NestedMap(genUnst.Object, "clone") + genClone, _, err := unstructured.NestedMap(genUnst.Object, "clone") if err != nil { return noGenResource, err } - if genData != nil { - rdata, mode, err = manageData(log, genAPIVersion, genKind, genNamespace, genName, genData, client, resource) + if genClone != nil { + rdata, mode, err = manageClone(log, genAPIVersion, genKind, genNamespace, genName, genClone, client, resource) } else { - rdata, mode, err = manageClone(log, genAPIVersion, genKind, genNamespace, genName, genCopy, client, resource) + if found { + rdata, mode, err = manageData(log, genAPIVersion, genKind, genNamespace, genName, genData, client, resource) + } else { + log.V(3).Info("generate rule has no data and clone") + } } logger := log.WithValues("genKind", genKind, "genAPIVersion", genAPIVersion, "genNamespace", genNamespace, "genName", genName) @@ -424,17 +428,16 @@ func applyRule(log logr.Logger, client *dclient.Client, rule kyverno.Rule, resou } func manageData(log logr.Logger, apiVersion, kind, namespace, name string, data map[string]interface{}, client *dclient.Client, resource unstructured.Unstructured) (map[string]interface{}, ResourceMode, error) { - // check if resource to be generated exists obj, err := client.GetResource(apiVersion, kind, namespace, name) if err != nil { if apierrors.IsNotFound(err) { log.V(3).Info("resource does not exist, will try to create", "genKind", kind, "genAPIVersion", apiVersion, "genNamespace", namespace, "genName", name) return data, Create, nil } - //something wrong while fetching resource - // client-errors + return nil, Skip, err } + updateObj := &unstructured.Unstructured{} updateObj.SetUnstructuredContent(data) updateObj.SetResourceVersion(obj.GetResourceVersion()) diff --git a/pkg/policy/generate/validate.go b/pkg/policy/generate/validate.go index 6db00e719b..038bef5556 100644 --- a/pkg/policy/generate/validate.go +++ b/pkg/policy/generate/validate.go @@ -37,11 +37,15 @@ func NewGenerateFactory(client *dclient.Client, rule kyverno.Generation, log log func (g *Generate) Validate() (string, error) { rule := g.rule if rule.Data == nil && rule.Clone == (kyverno.CloneFrom{}) { - return "", fmt.Errorf("clone or data are required") + // generate rules without data can be used to create objects + // which should not be updated (e.g. service accounts). + g.log.Info("generate rule has no data or clone") } + if rule.Data != nil && rule.Clone != (kyverno.CloneFrom{}) { return "", fmt.Errorf("only one operation allowed per generate rule(data or clone)") } + kind, name, namespace := rule.Kind, rule.Name, rule.Namespace if name == "" { From 2285e6b1b640de3d0f9bfb95265b263685a3a8b1 Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Mon, 14 Dec 2020 02:38:33 -0800 Subject: [PATCH 2/5] update docs --- pkg/api/kyverno/v1/policy_types.go | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/pkg/api/kyverno/v1/policy_types.go b/pkg/api/kyverno/v1/policy_types.go index 158407ded1..1b3bf05928 100755 --- a/pkg/api/kyverno/v1/policy_types.go +++ b/pkg/api/kyverno/v1/policy_types.go @@ -301,23 +301,27 @@ type Generation struct { ResourceSpec `json:",omitempty" yaml:",omitempty"` // Synchronize controls if generated resources should be kept in-sync with their source resource. + // If Synchronize is set to "true" changes to generated resources will be overwritten with resource + // data from Data or the resource specified in the Clone declaration. // Optional. Defaults to "false" if not specified. // +optional Synchronize bool `json:"synchronize,omitempty" yaml:"synchronize,omitempty"` - // Data provides the resource manifest to used to populate each generated resource. - // Exactly one of Data or Clone must be specified. + // Data provides the resource declaration used to populate each generated resource. + // At most one of Data or Clone must be specified. If neither are provided, the generated + // resource will be created with default data only. // +kubebuilder:pruning:PreserveUnknownFields // +optional Data apiextensions.JSON `json:"data,omitempty" yaml:"data,omitempty"` - // Clone specified the source resource used to populate each generated resource. - // Exactly one of Data or Clone must be specified. + // Clone specifies the source resource used to populate each generated resource. + // At most one of Data or Clone can be specified. If neither are provided, the generated + // resource will be created with default data only. // +optional Clone CloneFrom `json:"clone,omitempty" yaml:"clone,omitempty"` } -// CloneFrom provides the location of the source resource used to generate additional resources. +// CloneFrom provides the location of the source resource used to generate target resources. // The resource kind is derived from the match criteria. type CloneFrom struct { From b25a0371135a7a57da6ea0a299a5d5be81f1385d Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Mon, 14 Dec 2020 02:43:16 -0800 Subject: [PATCH 3/5] fix generate clone/data check --- pkg/generate/generate.go | 85 ++++++++++++++++------------- pkg/generate/generate_controller.go | 7 ++- pkg/policy/generate/validate.go | 8 +-- pkg/webhooks/generate/generate.go | 12 ++-- 4 files changed, 61 insertions(+), 51 deletions(-) diff --git a/pkg/generate/generate.go b/pkg/generate/generate.go index 7d2077752d..3b347d7f12 100644 --- a/pkg/generate/generate.go +++ b/pkg/generate/generate.go @@ -15,7 +15,6 @@ import ( "github.com/kyverno/kyverno/pkg/engine" "github.com/kyverno/kyverno/pkg/engine/context" "github.com/kyverno/kyverno/pkg/engine/utils" - "github.com/kyverno/kyverno/pkg/engine/validate" "github.com/kyverno/kyverno/pkg/engine/variables" apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -295,6 +294,7 @@ func applyRule(log logr.Logger, client *dclient.Client, rule kyverno.Rule, resou if err != nil { return noGenResource, err } + // Variable substitutions // format : {{ results in error and rule is not applied @@ -310,6 +310,8 @@ func applyRule(log logr.Logger, client *dclient.Client, rule kyverno.Rule, resou return noGenResource, err } + logger := log.WithValues("genKind", genKind, "genAPIVersion", genAPIVersion, "genNamespace", genNamespace, "genName", genName) + // Resource to be generated newGenResource := kyverno.ResourceSpec{ APIVersion: genAPIVersion, @@ -318,32 +320,34 @@ func applyRule(log logr.Logger, client *dclient.Client, rule kyverno.Rule, resou Name: genName, } - genData, found, err := unstructured.NestedMap(genUnst.Object, "data") + genData, _, err := unstructured.NestedMap(genUnst.Object, "data") if err != nil { - return noGenResource, err + return noGenResource, fmt.Errorf("failed to read `data`: %v", err.Error()) } genClone, _, err := unstructured.NestedMap(genUnst.Object, "clone") if err != nil { - return noGenResource, err + return noGenResource, fmt.Errorf("failed to read `clone`: %v", err.Error()) } - if genClone != nil { - rdata, mode, err = manageClone(log, genAPIVersion, genKind, genNamespace, genName, genClone, client, resource) + if genClone != nil && len(genClone) != 0 { + rdata, mode, err = manageClone(logger, genAPIVersion, genKind, genNamespace, genName, genClone, client) } else { - if found { - rdata, mode, err = manageData(log, genAPIVersion, genKind, genNamespace, genName, genData, client, resource) - } else { - log.V(3).Info("generate rule has no data and clone") - } + rdata, mode, err = manageData(logger, genAPIVersion, genKind, genNamespace, genName, genData, client) } - logger := log.WithValues("genKind", genKind, "genAPIVersion", genAPIVersion, "genNamespace", genNamespace, "genName", genName) + if err != nil { + logger.Error(err, "failed to generate resource", "data", rdata, "mode", mode) + return newGenResource, err + } - if rdata == nil { - // existing resource contains the configuration + logger.V(2).Info("applying generate rule", "data", rdata, "mode", mode) + + if rdata == nil && mode == Update { + logger.V(4).Info("no changes required for target resource") return newGenResource, nil } + if processExisting { return noGenResource, nil } @@ -373,6 +377,7 @@ func applyRule(log logr.Logger, client *dclient.Client, rule kyverno.Rule, resou } else { label["policy.kyverno.io/synchronize"] = "disable" } + // Reset resource version newResource.SetResourceVersion("") // Create the resource @@ -381,7 +386,7 @@ func applyRule(log logr.Logger, client *dclient.Client, rule kyverno.Rule, resou return noGenResource, err } - logger.V(2).Info("created resource") + logger.V(2).Info("generated target resource") } else if mode == Update { label := newResource.GetLabels() @@ -399,49 +404,60 @@ func applyRule(log logr.Logger, client *dclient.Client, rule kyverno.Rule, resou logger.Error(err, "updating existing resource") return noGenResource, err } - logger.V(2).Info("updated generated resource") + logger.V(2).Info("updated target resource") } } + return newGenResource, nil } -func manageData(log logr.Logger, apiVersion, kind, namespace, name string, data map[string]interface{}, client *dclient.Client, resource unstructured.Unstructured) (map[string]interface{}, ResourceMode, error) { +func manageData(log logr.Logger, apiVersion, kind, namespace, name string, data map[string]interface{}, client *dclient.Client) (map[string]interface{}, ResourceMode, error) { obj, err := client.GetResource(apiVersion, kind, namespace, name) if err != nil { if apierrors.IsNotFound(err) { - log.V(3).Info("resource does not exist, will try to create", "genKind", kind, "genAPIVersion", apiVersion, "genNamespace", namespace, "genName", name) return data, Create, nil } + log.Error(err, "failed to get resource") return nil, Skip, err } + log.Info("found target resource", "resource", obj) + if data == nil { + log.Info("data is nil - skipping update", "resource", obj) + return nil, Skip, nil + } + updateObj := &unstructured.Unstructured{} updateObj.SetUnstructuredContent(data) updateObj.SetResourceVersion(obj.GetResourceVersion()) return updateObj.UnstructuredContent(), Update, nil } -func manageClone(log logr.Logger, apiVersion, kind, namespace, name string, clone map[string]interface{}, client *dclient.Client, resource unstructured.Unstructured) (map[string]interface{}, ResourceMode, error) { - newRNs, _, err := unstructured.NestedString(clone, "namespace") +func manageClone(log logr.Logger, apiVersion, kind, namespace, name string, clone map[string]interface{}, client *dclient.Client) (map[string]interface{}, ResourceMode, error) { + rNamespace, _, err := unstructured.NestedString(clone, "namespace") if err != nil { - return nil, Skip, err - } - newRName, _, err := unstructured.NestedString(clone, "name") - if err != nil { - return nil, Skip, err + return nil, Skip, fmt.Errorf("failed to find source namespace: %v", err) } - // Short-circuit if the resource to be generated and the clone is the same - if newRNs == namespace && newRName == name { - // attempting to clone it self, this will fail -> short-ciruit it + rName, _, err := unstructured.NestedString(clone, "name") + if err != nil { + return nil, Skip, fmt.Errorf("failed to find source name: %v", err) + } + + if rName == "" && rNamespace == "" { + return nil, Skip, fmt.Errorf("invalid source", "clone", clone) + } + + if rNamespace == namespace && rName == name { + log.V(4).Info("skip resource self-clone") return nil, Skip, nil } // check if the resource as reference in clone exists? - obj, err := client.GetResource(apiVersion, kind, newRNs, newRName) + obj, err := client.GetResource(apiVersion, kind, rNamespace, rName) if err != nil { - return nil, Skip, fmt.Errorf("reference clone resource %s/%s/%s/%s not found. %v", apiVersion, kind, newRNs, newRName, err) + return nil, Skip, fmt.Errorf("source resource %s %s/%s/%s not found. %v", apiVersion, kind, rNamespace, rName, err) } // check if resource to be generated exists @@ -475,15 +491,6 @@ const ( Update = "UPDATE" ) -func checkResource(log logr.Logger, newResourceSpec interface{}, resource *unstructured.Unstructured) error { - // check if the resource spec if a subset of the resource - if path, err := validate.ValidateResourceWithPattern(log, resource.Object, newResourceSpec); err != nil { - log.Error(err, "Failed to match the resource ", "path", path) - return err - } - return nil -} - func getUnstrRule(rule *kyverno.Generation) (*unstructured.Unstructured, error) { ruleData, err := json.Marshal(rule) if err != nil { diff --git a/pkg/generate/generate_controller.go b/pkg/generate/generate_controller.go index 2ac96202da..aead2c65b4 100644 --- a/pkg/generate/generate_controller.go +++ b/pkg/generate/generate_controller.go @@ -1,6 +1,7 @@ package generate import ( + "sigs.k8s.io/controller-runtime/pkg/log" "time" "github.com/go-logr/logr" @@ -262,15 +263,19 @@ func (c *Controller) Run(workers int, stopCh <-chan struct{}) { logger.Info("failed to sync informer cache") return } + for i := 0; i < workers; i++ { go wait.Until(c.worker, constant.GenerateControllerResync, stopCh) } + <-stopCh } // worker runs a worker thread that just dequeues items, processes them, and marks them done. // It enforces that the syncHandler is never invoked concurrently with the same key. func (c *Controller) worker() { + log.Log.Info("starting new worker...") + for c.processNextWorkItem() { } } @@ -280,10 +285,10 @@ func (c *Controller) processNextWorkItem() bool { if quit { return false } + defer c.queue.Done(key) err := c.syncGenerateRequest(key.(string)) c.handleErr(err, key) - return true } diff --git a/pkg/policy/generate/validate.go b/pkg/policy/generate/validate.go index 038bef5556..a491048b87 100644 --- a/pkg/policy/generate/validate.go +++ b/pkg/policy/generate/validate.go @@ -36,14 +36,8 @@ func NewGenerateFactory(client *dclient.Client, rule kyverno.Generation, log log //Validate validates the 'generate' rule func (g *Generate) Validate() (string, error) { rule := g.rule - if rule.Data == nil && rule.Clone == (kyverno.CloneFrom{}) { - // generate rules without data can be used to create objects - // which should not be updated (e.g. service accounts). - g.log.Info("generate rule has no data or clone") - } - if rule.Data != nil && rule.Clone != (kyverno.CloneFrom{}) { - return "", fmt.Errorf("only one operation allowed per generate rule(data or clone)") + return "", fmt.Errorf("only one of data or clone can be specified") } kind, name, namespace := rule.Kind, rule.Name, rule.Namespace diff --git a/pkg/webhooks/generate/generate.go b/pkg/webhooks/generate/generate.go index 51b44f89f8..93c0f1ebc5 100644 --- a/pkg/webhooks/generate/generate.go +++ b/pkg/webhooks/generate/generate.go @@ -28,7 +28,7 @@ type GeneratorChannel struct { action v1beta1.Operation } -// Generator defines the implmentation to mange generate request resource +// Generator defines the implementation to mange generate request resource type Generator struct { // channel to receive request ch chan GeneratorChannel @@ -48,15 +48,17 @@ func NewGenerator(client *kyvernoclient.Clientset, stopCh <-chan struct{}, log l return gen } -// Apply creates generate request resoruce (blocking call if channel is full) +// Apply creates generate request resource (blocking call if channel is full) func (g *Generator) Apply(gr kyverno.GenerateRequestSpec, action v1beta1.Operation) error { logger := g.log logger.V(4).Info("creating Generate Request", "request", gr) + // Update to channel message := GeneratorChannel{ action: action, spec: gr, } + select { case g.ch <- message: return nil @@ -70,13 +72,16 @@ func (g *Generator) Apply(gr kyverno.GenerateRequestSpec, action v1beta1.Operati func (g *Generator) Run(workers int) { logger := g.log defer utilruntime.HandleCrash() + logger.V(4).Info("starting") defer func() { logger.V(4).Info("shutting down") }() + for i := 0; i < workers; i++ { go wait.Until(g.processApply, constant.GenerateControllerResync, g.stopCh) } + <-g.stopCh } @@ -105,8 +110,7 @@ func (g *Generator) generate(grSpec kyverno.GenerateRequestSpec, action v1beta1. func retryApplyResource(client *kyvernoclient.Clientset, grSpec kyverno.GenerateRequestSpec, log logr.Logger, - action v1beta1.Operation, -) error { + action v1beta1.Operation) error { var i int var err error From 043420d1ad0817eab377e022520bd45996742d9f Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Mon, 14 Dec 2020 02:52:12 -0800 Subject: [PATCH 4/5] remove ns / name check --- pkg/generate/generate.go | 4 ---- 1 file changed, 4 deletions(-) diff --git a/pkg/generate/generate.go b/pkg/generate/generate.go index 3b347d7f12..992e7dc218 100644 --- a/pkg/generate/generate.go +++ b/pkg/generate/generate.go @@ -445,10 +445,6 @@ func manageClone(log logr.Logger, apiVersion, kind, namespace, name string, clon return nil, Skip, fmt.Errorf("failed to find source name: %v", err) } - if rName == "" && rNamespace == "" { - return nil, Skip, fmt.Errorf("invalid source", "clone", clone) - } - if rNamespace == namespace && rName == name { log.V(4).Info("skip resource self-clone") return nil, Skip, nil From 8f5795725b7635546693103f0fcc7bd38c277261 Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Mon, 14 Dec 2020 02:56:21 -0800 Subject: [PATCH 5/5] update CRDs --- charts/kyverno/crds/crds.yaml | 1315 ++++++++------------------------ definitions/install.yaml | 1315 ++++++++------------------------ definitions/install_debug.yaml | 1315 ++++++++------------------------ 3 files changed, 906 insertions(+), 3039 deletions(-) diff --git a/charts/kyverno/crds/crds.yaml b/charts/kyverno/crds/crds.yaml index 8889ec1e07..06335cfa07 100644 --- a/charts/kyverno/crds/crds.yaml +++ b/charts/kyverno/crds/crds.yaml @@ -26,18 +26,13 @@ spec: name: v1 schema: openAPIV3Schema: - description: ClusterPolicy declares validation, mutation, and generation behaviors - for matching resources. + description: ClusterPolicy declares validation, mutation, and generation behaviors for matching resources. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -45,27 +40,17 @@ spec: description: Spec declares policy behaviors. properties: background: - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: Background controls if rules are applied to existing resources during a background scan. Optional. Default value is "true". The value must be set to "false" if the policy rule uses variables that are only available in the admission review request (e.g. user name). type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: Rules is a list of Rule instances. A Policy contains multiple rules and each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: Rule defines a validation, mutation, or generation control for matching resources. Each rules contains a match declaration to select resources, and an optional exclude declaration to specify which resources to exclude. properties: context: - description: Context defines variables and data sources that - can be used during rule execution. + description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context + description: ContextEntry adds variables and data sources to a rule Context properties: configMap: description: ConfigMapReference refers to a ConfigMap @@ -80,29 +65,20 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role. properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. + description: ClusterRoles is the list of cluster-wide role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. + description: ResourceDescription contains information about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -110,50 +86,29 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name - supports wildcard characters "*" (matches zero or - many characters) and "?" (at least one character). + description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the - selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -165,51 +120,31 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names - for the user. + description: Roles is the list of namespaced role names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. + description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind @@ -224,9 +159,7 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specified the source resource used to - populate each generated resource. Exactly one of Data - or Clone must be specified. + description: Clone specified the source resource used to populate each generated resource. Exactly one of Data or Clone must be specified. properties: name: description: Name specifies name of the resource. @@ -236,9 +169,7 @@ spec: type: string type: object data: - description: Data provides the resource manifest to used - to populate each generated resource. Exactly one of Data - or Clone must be specified. + description: Data provides the resource manifest to used to populate each generated resource. Exactly one of Data or Clone must be specified. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -250,36 +181,24 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. Optional. - Defaults to "false" if not specified. + description: Synchronize controls if generated resources should be kept in-sync with their source resource. Optional. Defaults to "false" if not specified. type: boolean type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: MatchResources defines when this policy rule should be applied. The match criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required. properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. + description: ClusterRoles is the list of cluster-wide role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. + description: ResourceDescription contains information about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -287,50 +206,29 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name - supports wildcard characters "*" (matches zero or - many characters) and "?" (at least one character). + description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the - selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -342,51 +240,31 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names - for the user. + description: Roles is the list of namespaced role names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. + description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind @@ -398,25 +276,18 @@ spec: description: Mutation is used to modify matching resources. properties: overlay: - description: Overlay specifies an overlay pattern to modify - resources. DEPRECATED. Use PatchStrategicMerge instead. - Scheduled for removal in release 1.5+. + description: Overlay specifies an overlay pattern to modify resources. DEPRECATED. Use PatchStrategicMerge instead. Scheduled for removal in release 1.5+. x-kubernetes-preserve-unknown-fields: true patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + description: PatchStrategicMerge is a strategic merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patches: - description: Patches specifies a RFC 6902 JSON Patch to - modify resources. DEPRECATED. Use PatchesJSON6902 instead. - Scheduled for removal in release 1.5+. + description: Patches specifies a RFC 6902 JSON Patch to modify resources. DEPRECATED. Use PatchesJSON6902 instead. Scheduled for removal in release 1.5+. items: description: 'Patch is a RFC 6902 JSON Patch. See: https://tools.ietf.org/html/rfc6902' properties: op: - description: Operation specifies operations supported - by JSON Patch. i.e:- add, replace and delete. + description: Operation specifies operations supported by JSON Patch. i.e:- add, replace and delete. type: string path: description: Path specifies path of the resource. @@ -429,27 +300,19 @@ spec: type: array x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string type: object name: - description: Name is a label to identify the rule, It must be - unique within the policy. + description: Name is a label to identify the rule, It must be unique within the policy. type: string preconditions: - description: Conditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. + description: Conditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. items: - description: Condition defines variable-based conditional - criteria for rule execution. + description: Condition defines variable-based conditional criteria for rule execution. properties: key: - description: Key is the context entry (using JMESPath) - for conditional rule evaluation. + description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true operator: description: Operator is the operation to perform. @@ -460,9 +323,7 @@ spec: - NotIn type: string value: - description: Value is the conditional value, or set of - values. The values can be fixed set or can be variables - declared using using JMESPath. + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -470,23 +331,18 @@ spec: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: AnyPattern specifies list of validation patterns. At least one of the patterns must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true deny: - description: Deny defines conditions to fail the validation - rule. + description: Deny defines conditions to fail the validation rule. properties: conditions: description: Specifies set of condition to deny. items: - description: Condition defines variable-based conditional - criteria for rule execution. + description: Condition defines variable-based conditional criteria for rule execution. properties: key: - description: Key is the context entry (using JMESPath) - for conditional rule evaluation. + description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true operator: description: Operator is the operation to perform. @@ -497,102 +353,80 @@ spec: - NotIn type: string value: - description: Value is the conditional value, or - set of values. The values can be fixed set or - can be variables declared using using JMESPath. + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array type: object message: - description: Message specifies a custom message to be displayed - on failure. + description: Message specifies a custom message to be displayed on failure. type: string pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. + description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true type: object type: object type: array validationFailureAction: - description: ValidationFailureAction controls if a validation policy - rule failure should disallow the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. The default value is "audit". + description: ValidationFailureAction controls if a validation policy rule failure should disallow the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. The default value is "audit". type: string type: object status: description: Status contains policy runtime data. properties: averageExecutionTime: - description: AvgExecutionTime is the average time taken to process - the policy rules on a resource. + description: AvgExecutionTime is the average time taken to process the policy rules on a resource. type: string resourcesBlockedCount: - description: ResourcesBlockedCount is the total count of admission - review requests that were blocked by this policy. + description: ResourcesBlockedCount is the total count of admission review requests that were blocked by this policy. type: integer resourcesGeneratedCount: - description: ResourcesGeneratedCount is the total count of resources - that were generated by this policy. + description: ResourcesGeneratedCount is the total count of resources that were generated by this policy. type: integer resourcesMutatedCount: - description: ResourcesMutatedCount is the total count of resources - that were mutated by this policy. + description: ResourcesMutatedCount is the total count of resources that were mutated by this policy. type: integer ruleStatus: description: Rules provides per rule statistics items: - description: RuleStats provides statistics for an individual rule - within a policy. + description: RuleStats provides statistics for an individual rule within a policy. properties: appliedCount: - description: AppliedCount is the total number of times this - rule was applied. + description: AppliedCount is the total number of times this rule was applied. type: integer averageExecutionTime: - description: ExecutionTime is the average time taken to execute - this rule. + description: ExecutionTime is the average time taken to execute this rule. type: string failedCount: - description: FailedCount is the total count of policy error - results for this rule. + description: FailedCount is the total count of policy error results for this rule. type: integer resourcesBlockedCount: - description: ResourcesBlockedCount is the total count of admission - review requests that were blocked by this rule. + description: ResourcesBlockedCount is the total count of admission review requests that were blocked by this rule. type: integer resourcesGeneratedCount: - description: ResourcesGeneratedCount is the total count of resources - that were generated by this rule. + description: ResourcesGeneratedCount is the total count of resources that were generated by this rule. type: integer resourcesMutatedCount: - description: ResourcesMutatedCount is the total count of resources - that were mutated by this rule. + description: ResourcesMutatedCount is the total count of resources that were mutated by this rule. type: integer ruleName: description: Name is the rule name. type: string violationCount: - description: ViolationCount is the total count of policy failure - results for this rule. + description: ViolationCount is the total count of policy failure results for this rule. type: integer required: - ruleName type: object type: array rulesAppliedCount: - description: RulesAppliedCount is the total number of times this policy - was applied. + description: RulesAppliedCount is the total number of times this policy was applied. type: integer rulesFailedCount: - description: RulesFailedCount is the total count of policy execution - errors for this policy. + description: RulesFailedCount is the total count of policy execution errors for this policy. type: integer violationCount: - description: ViolationCount is the total count of policy failure results - for this policy. + description: ViolationCount is the total count of policy failure results for this policy. type: integer type: object required: @@ -657,26 +491,20 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: ClusterPolicyReport is the Schema for the clusterpolicyreports - API + description: ClusterPolicyReport is the Schema for the clusterpolicyreports API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual - policy + description: PolicyReportResult provides the result for an individual policy properties: category: description: Category indicates policy category @@ -684,46 +512,30 @@ spec: data: additionalProperties: type: string - description: Data provides additional information for the policy - rule + description: Data provides additional information for the policy rule type: object message: - description: Message is a short user friendly description of the - policy rule + description: Message is a short user friendly description of the policy rule type: string policy: description: Policy is the name of the policy type: string resourceSelector: - description: ResourceSelector is an optional selector for policy - results that apply to multiple resources. For example, a policy - result may apply to all pods that match a label. Either a Resource - or a ResourceSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -735,58 +547,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object resources: - description: Resources is an optional reference to the resource - checked by the policy and rule + description: Resources is an optional reference to the resource checked by the policy and rule items: - description: 'ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular restrictions - like, "must refer only to types A and B" or "UID not honored" - or "name must be restricted". Those cannot be well described - when embedded. 3. Inconsistent validation. Because the usages - are different, the validation rules are different by usage, - which makes it hard for users to predict what will happen. 4. - The fields are both imprecise and overly precise. Kind is not - a precise mapping to a URL. This can produce ambiguity during - interpretation and require a REST mapping. In most cases, the - dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don''t make - new APIs embed an underspecified API type they do not control. - Instead of using this type, create a locally provided and used - type that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - .' + description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -798,8 +571,7 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' @@ -833,23 +605,13 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. - a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -861,39 +623,28 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. + description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -905,34 +656,26 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be - evaluated + description: Error provides the count of policies that could not be evaluated type: integer fail: - description: Fail provides the count of policies whose requirements - were not met + description: Fail provides the count of policies whose requirements were not met type: integer pass: - description: Pass provides the count of policies whose requirements - were met + description: Pass provides the count of policies whose requirements were met type: integer skip: - description: Skip indicates the count of policies that were not selected - for evaluation + description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements - were not met + description: Warn provides the count of unscored policies whose requirements were not met type: integer type: object type: object @@ -992,26 +735,20 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: ClusterReportChangeRequest is the Schema for the ClusterReportChangeRequests - API + description: ClusterReportChangeRequest is the Schema for the ClusterReportChangeRequests API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual - policy + description: PolicyReportResult provides the result for an individual policy properties: category: description: Category indicates policy category @@ -1019,46 +756,30 @@ spec: data: additionalProperties: type: string - description: Data provides additional information for the policy - rule + description: Data provides additional information for the policy rule type: object message: - description: Message is a short user friendly description of the - policy rule + description: Message is a short user friendly description of the policy rule type: string policy: description: Policy is the name of the policy type: string resourceSelector: - description: ResourceSelector is an optional selector for policy - results that apply to multiple resources. For example, a policy - result may apply to all pods that match a label. Either a Resource - or a ResourceSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -1070,58 +791,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object resources: - description: Resources is an optional reference to the resource - checked by the policy and rule + description: Resources is an optional reference to the resource checked by the policy and rule items: - description: 'ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular restrictions - like, "must refer only to types A and B" or "UID not honored" - or "name must be restricted". Those cannot be well described - when embedded. 3. Inconsistent validation. Because the usages - are different, the validation rules are different by usage, - which makes it hard for users to predict what will happen. 4. - The fields are both imprecise and overly precise. Kind is not - a precise mapping to a URL. This can produce ambiguity during - interpretation and require a REST mapping. In most cases, the - dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don''t make - new APIs embed an underspecified API type they do not control. - Instead of using this type, create a locally provided and used - type that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - .' + description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -1133,8 +815,7 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' @@ -1168,23 +849,13 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. - a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -1196,39 +867,28 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. + description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -1240,34 +900,26 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be - evaluated + description: Error provides the count of policies that could not be evaluated type: integer fail: - description: Fail provides the count of policies whose requirements - were not met + description: Fail provides the count of policies whose requirements were not met type: integer pass: - description: Pass provides the count of policies whose requirements - were met + description: Pass provides the count of policies whose requirements were met type: integer skip: - description: Skip indicates the count of policies that were not selected - for evaluation + description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements - were not met + description: Warn provides the count of unscored policies whose requirements were not met type: integer type: object type: object @@ -1324,14 +976,10 @@ spec: description: GenerateRequest is a request to process generate rule. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -1342,12 +990,10 @@ spec: description: Context ... properties: userInfo: - description: RequestInfo contains permission info carried in an - admission request. + description: RequestInfo contains permission info carried in an admission request. properties: clusterRoles: - description: ClusterRoles is a list of possible clusterRoles - send the request. + description: ClusterRoles is a list of possible clusterRoles send the request. items: type: string nullable: true @@ -1359,18 +1005,15 @@ spec: nullable: true type: array userInfo: - description: UserInfo is the userInfo carried in the admission - request. + description: UserInfo is the userInfo carried in the admission request. properties: extra: additionalProperties: - description: ExtraValue masks the value so protobuf - can generate + description: ExtraValue masks the value so protobuf can generate items: type: string type: array - description: Any additional information provided by the - authenticator. + description: Any additional information provided by the authenticator. type: object groups: description: The names of groups this user is a part of. @@ -1378,14 +1021,10 @@ spec: type: string type: array uid: - description: A unique value that identifies this user - across time. If this user is deleted and another user - by the same name is added, they will have different - UIDs. + description: A unique value that identifies this user across time. If this user is deleted and another user by the same name is added, they will have different UIDs. type: string username: - description: The name that uniquely identifies this user - among all active users. + description: The name that uniquely identifies this user among all active users. type: string type: object type: object @@ -1394,8 +1033,7 @@ spec: description: Specifies the name of the policy. type: string resource: - description: ResourceSpec is the information to identify the generate - request. + description: ResourceSpec is the information to identify the generate request. properties: apiVersion: description: APIVersion specifies resource apiVersion. @@ -1419,8 +1057,7 @@ spec: description: Status contains statistics related to generate request. properties: generatedResources: - description: This will track the resources that are generated by the - generate Policy. Will be used during clean up resources. + description: This will track the resources that are generated by the generate Policy. Will be used during clean up resources. items: description: ResourceSpec contains information to identify a resource. properties: @@ -1489,19 +1126,13 @@ spec: name: v1 schema: openAPIV3Schema: - description: 'Policy declares validation, mutation, and generation behaviors - for matching resources. See: https://kyverno.io/docs/writing-policies/ for - more information.' + description: 'Policy declares validation, mutation, and generation behaviors for matching resources. See: https://kyverno.io/docs/writing-policies/ for more information.' properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -1509,27 +1140,17 @@ spec: description: Spec defines policy behaviors and contains one or rules. properties: background: - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: Background controls if rules are applied to existing resources during a background scan. Optional. Default value is "true". The value must be set to "false" if the policy rule uses variables that are only available in the admission review request (e.g. user name). type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: Rules is a list of Rule instances. A Policy contains multiple rules and each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: Rule defines a validation, mutation, or generation control for matching resources. Each rules contains a match declaration to select resources, and an optional exclude declaration to specify which resources to exclude. properties: context: - description: Context defines variables and data sources that - can be used during rule execution. + description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context + description: ContextEntry adds variables and data sources to a rule Context properties: configMap: description: ConfigMapReference refers to a ConfigMap @@ -1544,29 +1165,20 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role. properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. + description: ClusterRoles is the list of cluster-wide role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. + description: ResourceDescription contains information about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1574,50 +1186,29 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name - supports wildcard characters "*" (matches zero or - many characters) and "?" (at least one character). + description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the - selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -1629,51 +1220,31 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names - for the user. + description: Roles is the list of namespaced role names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. + description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind @@ -1688,9 +1259,7 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specified the source resource used to - populate each generated resource. Exactly one of Data - or Clone must be specified. + description: Clone specified the source resource used to populate each generated resource. Exactly one of Data or Clone must be specified. properties: name: description: Name specifies name of the resource. @@ -1700,9 +1269,7 @@ spec: type: string type: object data: - description: Data provides the resource manifest to used - to populate each generated resource. Exactly one of Data - or Clone must be specified. + description: Data provides the resource manifest to used to populate each generated resource. Exactly one of Data or Clone must be specified. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -1714,36 +1281,24 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. Optional. - Defaults to "false" if not specified. + description: Synchronize controls if generated resources should be kept in-sync with their source resource. Optional. Defaults to "false" if not specified. type: boolean type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: MatchResources defines when this policy rule should be applied. The match criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required. properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. + description: ClusterRoles is the list of cluster-wide role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. + description: ResourceDescription contains information about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1751,50 +1306,29 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name - supports wildcard characters "*" (matches zero or - many characters) and "?" (at least one character). + description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the - selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -1806,51 +1340,31 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names - for the user. + description: Roles is the list of namespaced role names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. + description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind @@ -1862,25 +1376,18 @@ spec: description: Mutation is used to modify matching resources. properties: overlay: - description: Overlay specifies an overlay pattern to modify - resources. DEPRECATED. Use PatchStrategicMerge instead. - Scheduled for removal in release 1.5+. + description: Overlay specifies an overlay pattern to modify resources. DEPRECATED. Use PatchStrategicMerge instead. Scheduled for removal in release 1.5+. x-kubernetes-preserve-unknown-fields: true patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + description: PatchStrategicMerge is a strategic merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patches: - description: Patches specifies a RFC 6902 JSON Patch to - modify resources. DEPRECATED. Use PatchesJSON6902 instead. - Scheduled for removal in release 1.5+. + description: Patches specifies a RFC 6902 JSON Patch to modify resources. DEPRECATED. Use PatchesJSON6902 instead. Scheduled for removal in release 1.5+. items: description: 'Patch is a RFC 6902 JSON Patch. See: https://tools.ietf.org/html/rfc6902' properties: op: - description: Operation specifies operations supported - by JSON Patch. i.e:- add, replace and delete. + description: Operation specifies operations supported by JSON Patch. i.e:- add, replace and delete. type: string path: description: Path specifies path of the resource. @@ -1893,27 +1400,19 @@ spec: type: array x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string type: object name: - description: Name is a label to identify the rule, It must be - unique within the policy. + description: Name is a label to identify the rule, It must be unique within the policy. type: string preconditions: - description: Conditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. + description: Conditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. items: - description: Condition defines variable-based conditional - criteria for rule execution. + description: Condition defines variable-based conditional criteria for rule execution. properties: key: - description: Key is the context entry (using JMESPath) - for conditional rule evaluation. + description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true operator: description: Operator is the operation to perform. @@ -1924,9 +1423,7 @@ spec: - NotIn type: string value: - description: Value is the conditional value, or set of - values. The values can be fixed set or can be variables - declared using using JMESPath. + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -1934,23 +1431,18 @@ spec: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: AnyPattern specifies list of validation patterns. At least one of the patterns must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true deny: - description: Deny defines conditions to fail the validation - rule. + description: Deny defines conditions to fail the validation rule. properties: conditions: description: Specifies set of condition to deny. items: - description: Condition defines variable-based conditional - criteria for rule execution. + description: Condition defines variable-based conditional criteria for rule execution. properties: key: - description: Key is the context entry (using JMESPath) - for conditional rule evaluation. + description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true operator: description: Operator is the operation to perform. @@ -1961,102 +1453,80 @@ spec: - NotIn type: string value: - description: Value is the conditional value, or - set of values. The values can be fixed set or - can be variables declared using using JMESPath. + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array type: object message: - description: Message specifies a custom message to be displayed - on failure. + description: Message specifies a custom message to be displayed on failure. type: string pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. + description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true type: object type: object type: array validationFailureAction: - description: ValidationFailureAction controls if a validation policy - rule failure should disallow the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. The default value is "audit". + description: ValidationFailureAction controls if a validation policy rule failure should disallow the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. The default value is "audit". type: string type: object status: description: Status contains policy runtime information. properties: averageExecutionTime: - description: AvgExecutionTime is the average time taken to process - the policy rules on a resource. + description: AvgExecutionTime is the average time taken to process the policy rules on a resource. type: string resourcesBlockedCount: - description: ResourcesBlockedCount is the total count of admission - review requests that were blocked by this policy. + description: ResourcesBlockedCount is the total count of admission review requests that were blocked by this policy. type: integer resourcesGeneratedCount: - description: ResourcesGeneratedCount is the total count of resources - that were generated by this policy. + description: ResourcesGeneratedCount is the total count of resources that were generated by this policy. type: integer resourcesMutatedCount: - description: ResourcesMutatedCount is the total count of resources - that were mutated by this policy. + description: ResourcesMutatedCount is the total count of resources that were mutated by this policy. type: integer ruleStatus: description: Rules provides per rule statistics items: - description: RuleStats provides statistics for an individual rule - within a policy. + description: RuleStats provides statistics for an individual rule within a policy. properties: appliedCount: - description: AppliedCount is the total number of times this - rule was applied. + description: AppliedCount is the total number of times this rule was applied. type: integer averageExecutionTime: - description: ExecutionTime is the average time taken to execute - this rule. + description: ExecutionTime is the average time taken to execute this rule. type: string failedCount: - description: FailedCount is the total count of policy error - results for this rule. + description: FailedCount is the total count of policy error results for this rule. type: integer resourcesBlockedCount: - description: ResourcesBlockedCount is the total count of admission - review requests that were blocked by this rule. + description: ResourcesBlockedCount is the total count of admission review requests that were blocked by this rule. type: integer resourcesGeneratedCount: - description: ResourcesGeneratedCount is the total count of resources - that were generated by this rule. + description: ResourcesGeneratedCount is the total count of resources that were generated by this rule. type: integer resourcesMutatedCount: - description: ResourcesMutatedCount is the total count of resources - that were mutated by this rule. + description: ResourcesMutatedCount is the total count of resources that were mutated by this rule. type: integer ruleName: description: Name is the rule name. type: string violationCount: - description: ViolationCount is the total count of policy failure - results for this rule. + description: ViolationCount is the total count of policy failure results for this rule. type: integer required: - ruleName type: object type: array rulesAppliedCount: - description: RulesAppliedCount is the total number of times this policy - was applied. + description: RulesAppliedCount is the total number of times this policy was applied. type: integer rulesFailedCount: - description: RulesFailedCount is the total count of policy execution - errors for this policy. + description: RulesFailedCount is the total count of policy execution errors for this policy. type: integer violationCount: - description: ViolationCount is the total count of policy failure results - for this policy. + description: ViolationCount is the total count of policy failure results for this policy. type: integer type: object required: @@ -2124,22 +1594,17 @@ spec: description: PolicyReport is the Schema for the policyreports API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual - policy + description: PolicyReportResult provides the result for an individual policy properties: category: description: Category indicates policy category @@ -2147,46 +1612,30 @@ spec: data: additionalProperties: type: string - description: Data provides additional information for the policy - rule + description: Data provides additional information for the policy rule type: object message: - description: Message is a short user friendly description of the - policy rule + description: Message is a short user friendly description of the policy rule type: string policy: description: Policy is the name of the policy type: string resourceSelector: - description: ResourceSelector is an optional selector for policy - results that apply to multiple resources. For example, a policy - result may apply to all pods that match a label. Either a Resource - or a ResourceSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -2198,58 +1647,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object resources: - description: Resources is an optional reference to the resource - checked by the policy and rule + description: Resources is an optional reference to the resource checked by the policy and rule items: - description: 'ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular restrictions - like, "must refer only to types A and B" or "UID not honored" - or "name must be restricted". Those cannot be well described - when embedded. 3. Inconsistent validation. Because the usages - are different, the validation rules are different by usage, - which makes it hard for users to predict what will happen. 4. - The fields are both imprecise and overly precise. Kind is not - a precise mapping to a URL. This can produce ambiguity during - interpretation and require a REST mapping. In most cases, the - dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don''t make - new APIs embed an underspecified API type they do not control. - Instead of using this type, create a locally provided and used - type that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - .' + description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -2261,8 +1671,7 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' @@ -2296,23 +1705,13 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. - a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -2324,39 +1723,28 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. + description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -2368,34 +1756,26 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be - evaluated + description: Error provides the count of policies that could not be evaluated type: integer fail: - description: Fail provides the count of policies whose requirements - were not met + description: Fail provides the count of policies whose requirements were not met type: integer pass: - description: Pass provides the count of policies whose requirements - were met + description: Pass provides the count of policies whose requirements were met type: integer skip: - description: Skip indicates the count of policies that were not selected - for evaluation + description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements - were not met + description: Warn provides the count of unscored policies whose requirements were not met type: integer type: object type: object @@ -2457,26 +1837,20 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: ReportChangeRequest is the Schema for the ReportChangeRequests - API + description: ReportChangeRequest is the Schema for the ReportChangeRequests API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual - policy + description: PolicyReportResult provides the result for an individual policy properties: category: description: Category indicates policy category @@ -2484,46 +1858,30 @@ spec: data: additionalProperties: type: string - description: Data provides additional information for the policy - rule + description: Data provides additional information for the policy rule type: object message: - description: Message is a short user friendly description of the - policy rule + description: Message is a short user friendly description of the policy rule type: string policy: description: Policy is the name of the policy type: string resourceSelector: - description: ResourceSelector is an optional selector for policy - results that apply to multiple resources. For example, a policy - result may apply to all pods that match a label. Either a Resource - or a ResourceSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -2535,58 +1893,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object resources: - description: Resources is an optional reference to the resource - checked by the policy and rule + description: Resources is an optional reference to the resource checked by the policy and rule items: - description: 'ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular restrictions - like, "must refer only to types A and B" or "UID not honored" - or "name must be restricted". Those cannot be well described - when embedded. 3. Inconsistent validation. Because the usages - are different, the validation rules are different by usage, - which makes it hard for users to predict what will happen. 4. - The fields are both imprecise and overly precise. Kind is not - a precise mapping to a URL. This can produce ambiguity during - interpretation and require a REST mapping. In most cases, the - dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don''t make - new APIs embed an underspecified API type they do not control. - Instead of using this type, create a locally provided and used - type that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - .' + description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -2598,8 +1917,7 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' @@ -2633,23 +1951,13 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. - a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -2661,39 +1969,28 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. + description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -2705,34 +2002,26 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be - evaluated + description: Error provides the count of policies that could not be evaluated type: integer fail: - description: Fail provides the count of policies whose requirements - were not met + description: Fail provides the count of policies whose requirements were not met type: integer pass: - description: Pass provides the count of policies whose requirements - were met + description: Pass provides the count of policies whose requirements were met type: integer skip: - description: Skip indicates the count of policies that were not selected - for evaluation + description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements - were not met + description: Warn provides the count of unscored policies whose requirements were not met type: integer type: object type: object diff --git a/definitions/install.yaml b/definitions/install.yaml index c51398ae21..c486a5a98f 100644 --- a/definitions/install.yaml +++ b/definitions/install.yaml @@ -31,18 +31,13 @@ spec: name: v1 schema: openAPIV3Schema: - description: ClusterPolicy declares validation, mutation, and generation behaviors - for matching resources. + description: ClusterPolicy declares validation, mutation, and generation behaviors for matching resources. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -50,27 +45,17 @@ spec: description: Spec declares policy behaviors. properties: background: - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: Background controls if rules are applied to existing resources during a background scan. Optional. Default value is "true". The value must be set to "false" if the policy rule uses variables that are only available in the admission review request (e.g. user name). type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: Rules is a list of Rule instances. A Policy contains multiple rules and each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: Rule defines a validation, mutation, or generation control for matching resources. Each rules contains a match declaration to select resources, and an optional exclude declaration to specify which resources to exclude. properties: context: - description: Context defines variables and data sources that - can be used during rule execution. + description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context + description: ContextEntry adds variables and data sources to a rule Context properties: configMap: description: ConfigMapReference refers to a ConfigMap @@ -85,29 +70,20 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role. properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. + description: ClusterRoles is the list of cluster-wide role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. + description: ResourceDescription contains information about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -115,50 +91,29 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name - supports wildcard characters "*" (matches zero or - many characters) and "?" (at least one character). + description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the - selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -170,51 +125,31 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names - for the user. + description: Roles is the list of namespaced role names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. + description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind @@ -229,9 +164,7 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specified the source resource used to - populate each generated resource. Exactly one of Data - or Clone must be specified. + description: Clone specified the source resource used to populate each generated resource. Exactly one of Data or Clone must be specified. properties: name: description: Name specifies name of the resource. @@ -241,9 +174,7 @@ spec: type: string type: object data: - description: Data provides the resource manifest to used - to populate each generated resource. Exactly one of Data - or Clone must be specified. + description: Data provides the resource manifest to used to populate each generated resource. Exactly one of Data or Clone must be specified. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -255,36 +186,24 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. Optional. - Defaults to "false" if not specified. + description: Synchronize controls if generated resources should be kept in-sync with their source resource. Optional. Defaults to "false" if not specified. type: boolean type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: MatchResources defines when this policy rule should be applied. The match criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required. properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. + description: ClusterRoles is the list of cluster-wide role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. + description: ResourceDescription contains information about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -292,50 +211,29 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name - supports wildcard characters "*" (matches zero or - many characters) and "?" (at least one character). + description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the - selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -347,51 +245,31 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names - for the user. + description: Roles is the list of namespaced role names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. + description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind @@ -403,25 +281,18 @@ spec: description: Mutation is used to modify matching resources. properties: overlay: - description: Overlay specifies an overlay pattern to modify - resources. DEPRECATED. Use PatchStrategicMerge instead. - Scheduled for removal in release 1.5+. + description: Overlay specifies an overlay pattern to modify resources. DEPRECATED. Use PatchStrategicMerge instead. Scheduled for removal in release 1.5+. x-kubernetes-preserve-unknown-fields: true patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + description: PatchStrategicMerge is a strategic merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patches: - description: Patches specifies a RFC 6902 JSON Patch to - modify resources. DEPRECATED. Use PatchesJSON6902 instead. - Scheduled for removal in release 1.5+. + description: Patches specifies a RFC 6902 JSON Patch to modify resources. DEPRECATED. Use PatchesJSON6902 instead. Scheduled for removal in release 1.5+. items: description: 'Patch is a RFC 6902 JSON Patch. See: https://tools.ietf.org/html/rfc6902' properties: op: - description: Operation specifies operations supported - by JSON Patch. i.e:- add, replace and delete. + description: Operation specifies operations supported by JSON Patch. i.e:- add, replace and delete. type: string path: description: Path specifies path of the resource. @@ -434,27 +305,19 @@ spec: type: array x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string type: object name: - description: Name is a label to identify the rule, It must be - unique within the policy. + description: Name is a label to identify the rule, It must be unique within the policy. type: string preconditions: - description: Conditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. + description: Conditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. items: - description: Condition defines variable-based conditional - criteria for rule execution. + description: Condition defines variable-based conditional criteria for rule execution. properties: key: - description: Key is the context entry (using JMESPath) - for conditional rule evaluation. + description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true operator: description: Operator is the operation to perform. @@ -465,9 +328,7 @@ spec: - NotIn type: string value: - description: Value is the conditional value, or set of - values. The values can be fixed set or can be variables - declared using using JMESPath. + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -475,23 +336,18 @@ spec: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: AnyPattern specifies list of validation patterns. At least one of the patterns must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true deny: - description: Deny defines conditions to fail the validation - rule. + description: Deny defines conditions to fail the validation rule. properties: conditions: description: Specifies set of condition to deny. items: - description: Condition defines variable-based conditional - criteria for rule execution. + description: Condition defines variable-based conditional criteria for rule execution. properties: key: - description: Key is the context entry (using JMESPath) - for conditional rule evaluation. + description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true operator: description: Operator is the operation to perform. @@ -502,102 +358,80 @@ spec: - NotIn type: string value: - description: Value is the conditional value, or - set of values. The values can be fixed set or - can be variables declared using using JMESPath. + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array type: object message: - description: Message specifies a custom message to be displayed - on failure. + description: Message specifies a custom message to be displayed on failure. type: string pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. + description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true type: object type: object type: array validationFailureAction: - description: ValidationFailureAction controls if a validation policy - rule failure should disallow the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. The default value is "audit". + description: ValidationFailureAction controls if a validation policy rule failure should disallow the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. The default value is "audit". type: string type: object status: description: Status contains policy runtime data. properties: averageExecutionTime: - description: AvgExecutionTime is the average time taken to process - the policy rules on a resource. + description: AvgExecutionTime is the average time taken to process the policy rules on a resource. type: string resourcesBlockedCount: - description: ResourcesBlockedCount is the total count of admission - review requests that were blocked by this policy. + description: ResourcesBlockedCount is the total count of admission review requests that were blocked by this policy. type: integer resourcesGeneratedCount: - description: ResourcesGeneratedCount is the total count of resources - that were generated by this policy. + description: ResourcesGeneratedCount is the total count of resources that were generated by this policy. type: integer resourcesMutatedCount: - description: ResourcesMutatedCount is the total count of resources - that were mutated by this policy. + description: ResourcesMutatedCount is the total count of resources that were mutated by this policy. type: integer ruleStatus: description: Rules provides per rule statistics items: - description: RuleStats provides statistics for an individual rule - within a policy. + description: RuleStats provides statistics for an individual rule within a policy. properties: appliedCount: - description: AppliedCount is the total number of times this - rule was applied. + description: AppliedCount is the total number of times this rule was applied. type: integer averageExecutionTime: - description: ExecutionTime is the average time taken to execute - this rule. + description: ExecutionTime is the average time taken to execute this rule. type: string failedCount: - description: FailedCount is the total count of policy error - results for this rule. + description: FailedCount is the total count of policy error results for this rule. type: integer resourcesBlockedCount: - description: ResourcesBlockedCount is the total count of admission - review requests that were blocked by this rule. + description: ResourcesBlockedCount is the total count of admission review requests that were blocked by this rule. type: integer resourcesGeneratedCount: - description: ResourcesGeneratedCount is the total count of resources - that were generated by this rule. + description: ResourcesGeneratedCount is the total count of resources that were generated by this rule. type: integer resourcesMutatedCount: - description: ResourcesMutatedCount is the total count of resources - that were mutated by this rule. + description: ResourcesMutatedCount is the total count of resources that were mutated by this rule. type: integer ruleName: description: Name is the rule name. type: string violationCount: - description: ViolationCount is the total count of policy failure - results for this rule. + description: ViolationCount is the total count of policy failure results for this rule. type: integer required: - ruleName type: object type: array rulesAppliedCount: - description: RulesAppliedCount is the total number of times this policy - was applied. + description: RulesAppliedCount is the total number of times this policy was applied. type: integer rulesFailedCount: - description: RulesFailedCount is the total count of policy execution - errors for this policy. + description: RulesFailedCount is the total count of policy execution errors for this policy. type: integer violationCount: - description: ViolationCount is the total count of policy failure results - for this policy. + description: ViolationCount is the total count of policy failure results for this policy. type: integer type: object required: @@ -662,26 +496,20 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: ClusterPolicyReport is the Schema for the clusterpolicyreports - API + description: ClusterPolicyReport is the Schema for the clusterpolicyreports API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual - policy + description: PolicyReportResult provides the result for an individual policy properties: category: description: Category indicates policy category @@ -689,46 +517,30 @@ spec: data: additionalProperties: type: string - description: Data provides additional information for the policy - rule + description: Data provides additional information for the policy rule type: object message: - description: Message is a short user friendly description of the - policy rule + description: Message is a short user friendly description of the policy rule type: string policy: description: Policy is the name of the policy type: string resourceSelector: - description: ResourceSelector is an optional selector for policy - results that apply to multiple resources. For example, a policy - result may apply to all pods that match a label. Either a Resource - or a ResourceSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -740,58 +552,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object resources: - description: Resources is an optional reference to the resource - checked by the policy and rule + description: Resources is an optional reference to the resource checked by the policy and rule items: - description: 'ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular restrictions - like, "must refer only to types A and B" or "UID not honored" - or "name must be restricted". Those cannot be well described - when embedded. 3. Inconsistent validation. Because the usages - are different, the validation rules are different by usage, - which makes it hard for users to predict what will happen. 4. - The fields are both imprecise and overly precise. Kind is not - a precise mapping to a URL. This can produce ambiguity during - interpretation and require a REST mapping. In most cases, the - dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don''t make - new APIs embed an underspecified API type they do not control. - Instead of using this type, create a locally provided and used - type that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - .' + description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -803,8 +576,7 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' @@ -838,23 +610,13 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. - a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -866,39 +628,28 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. + description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -910,34 +661,26 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be - evaluated + description: Error provides the count of policies that could not be evaluated type: integer fail: - description: Fail provides the count of policies whose requirements - were not met + description: Fail provides the count of policies whose requirements were not met type: integer pass: - description: Pass provides the count of policies whose requirements - were met + description: Pass provides the count of policies whose requirements were met type: integer skip: - description: Skip indicates the count of policies that were not selected - for evaluation + description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements - were not met + description: Warn provides the count of unscored policies whose requirements were not met type: integer type: object type: object @@ -997,26 +740,20 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: ClusterReportChangeRequest is the Schema for the ClusterReportChangeRequests - API + description: ClusterReportChangeRequest is the Schema for the ClusterReportChangeRequests API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual - policy + description: PolicyReportResult provides the result for an individual policy properties: category: description: Category indicates policy category @@ -1024,46 +761,30 @@ spec: data: additionalProperties: type: string - description: Data provides additional information for the policy - rule + description: Data provides additional information for the policy rule type: object message: - description: Message is a short user friendly description of the - policy rule + description: Message is a short user friendly description of the policy rule type: string policy: description: Policy is the name of the policy type: string resourceSelector: - description: ResourceSelector is an optional selector for policy - results that apply to multiple resources. For example, a policy - result may apply to all pods that match a label. Either a Resource - or a ResourceSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -1075,58 +796,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object resources: - description: Resources is an optional reference to the resource - checked by the policy and rule + description: Resources is an optional reference to the resource checked by the policy and rule items: - description: 'ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular restrictions - like, "must refer only to types A and B" or "UID not honored" - or "name must be restricted". Those cannot be well described - when embedded. 3. Inconsistent validation. Because the usages - are different, the validation rules are different by usage, - which makes it hard for users to predict what will happen. 4. - The fields are both imprecise and overly precise. Kind is not - a precise mapping to a URL. This can produce ambiguity during - interpretation and require a REST mapping. In most cases, the - dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don''t make - new APIs embed an underspecified API type they do not control. - Instead of using this type, create a locally provided and used - type that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - .' + description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -1138,8 +820,7 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' @@ -1173,23 +854,13 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. - a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -1201,39 +872,28 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. + description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -1245,34 +905,26 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be - evaluated + description: Error provides the count of policies that could not be evaluated type: integer fail: - description: Fail provides the count of policies whose requirements - were not met + description: Fail provides the count of policies whose requirements were not met type: integer pass: - description: Pass provides the count of policies whose requirements - were met + description: Pass provides the count of policies whose requirements were met type: integer skip: - description: Skip indicates the count of policies that were not selected - for evaluation + description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements - were not met + description: Warn provides the count of unscored policies whose requirements were not met type: integer type: object type: object @@ -1329,14 +981,10 @@ spec: description: GenerateRequest is a request to process generate rule. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -1347,12 +995,10 @@ spec: description: Context ... properties: userInfo: - description: RequestInfo contains permission info carried in an - admission request. + description: RequestInfo contains permission info carried in an admission request. properties: clusterRoles: - description: ClusterRoles is a list of possible clusterRoles - send the request. + description: ClusterRoles is a list of possible clusterRoles send the request. items: type: string nullable: true @@ -1364,18 +1010,15 @@ spec: nullable: true type: array userInfo: - description: UserInfo is the userInfo carried in the admission - request. + description: UserInfo is the userInfo carried in the admission request. properties: extra: additionalProperties: - description: ExtraValue masks the value so protobuf - can generate + description: ExtraValue masks the value so protobuf can generate items: type: string type: array - description: Any additional information provided by the - authenticator. + description: Any additional information provided by the authenticator. type: object groups: description: The names of groups this user is a part of. @@ -1383,14 +1026,10 @@ spec: type: string type: array uid: - description: A unique value that identifies this user - across time. If this user is deleted and another user - by the same name is added, they will have different - UIDs. + description: A unique value that identifies this user across time. If this user is deleted and another user by the same name is added, they will have different UIDs. type: string username: - description: The name that uniquely identifies this user - among all active users. + description: The name that uniquely identifies this user among all active users. type: string type: object type: object @@ -1399,8 +1038,7 @@ spec: description: Specifies the name of the policy. type: string resource: - description: ResourceSpec is the information to identify the generate - request. + description: ResourceSpec is the information to identify the generate request. properties: apiVersion: description: APIVersion specifies resource apiVersion. @@ -1424,8 +1062,7 @@ spec: description: Status contains statistics related to generate request. properties: generatedResources: - description: This will track the resources that are generated by the - generate Policy. Will be used during clean up resources. + description: This will track the resources that are generated by the generate Policy. Will be used during clean up resources. items: description: ResourceSpec contains information to identify a resource. properties: @@ -1494,19 +1131,13 @@ spec: name: v1 schema: openAPIV3Schema: - description: 'Policy declares validation, mutation, and generation behaviors - for matching resources. See: https://kyverno.io/docs/writing-policies/ for - more information.' + description: 'Policy declares validation, mutation, and generation behaviors for matching resources. See: https://kyverno.io/docs/writing-policies/ for more information.' properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -1514,27 +1145,17 @@ spec: description: Spec defines policy behaviors and contains one or rules. properties: background: - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: Background controls if rules are applied to existing resources during a background scan. Optional. Default value is "true". The value must be set to "false" if the policy rule uses variables that are only available in the admission review request (e.g. user name). type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: Rules is a list of Rule instances. A Policy contains multiple rules and each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: Rule defines a validation, mutation, or generation control for matching resources. Each rules contains a match declaration to select resources, and an optional exclude declaration to specify which resources to exclude. properties: context: - description: Context defines variables and data sources that - can be used during rule execution. + description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context + description: ContextEntry adds variables and data sources to a rule Context properties: configMap: description: ConfigMapReference refers to a ConfigMap @@ -1549,29 +1170,20 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role. properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. + description: ClusterRoles is the list of cluster-wide role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. + description: ResourceDescription contains information about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1579,50 +1191,29 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name - supports wildcard characters "*" (matches zero or - many characters) and "?" (at least one character). + description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the - selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -1634,51 +1225,31 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names - for the user. + description: Roles is the list of namespaced role names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. + description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind @@ -1693,9 +1264,7 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specified the source resource used to - populate each generated resource. Exactly one of Data - or Clone must be specified. + description: Clone specified the source resource used to populate each generated resource. Exactly one of Data or Clone must be specified. properties: name: description: Name specifies name of the resource. @@ -1705,9 +1274,7 @@ spec: type: string type: object data: - description: Data provides the resource manifest to used - to populate each generated resource. Exactly one of Data - or Clone must be specified. + description: Data provides the resource manifest to used to populate each generated resource. Exactly one of Data or Clone must be specified. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -1719,36 +1286,24 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. Optional. - Defaults to "false" if not specified. + description: Synchronize controls if generated resources should be kept in-sync with their source resource. Optional. Defaults to "false" if not specified. type: boolean type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: MatchResources defines when this policy rule should be applied. The match criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required. properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. + description: ClusterRoles is the list of cluster-wide role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. + description: ResourceDescription contains information about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1756,50 +1311,29 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name - supports wildcard characters "*" (matches zero or - many characters) and "?" (at least one character). + description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the - selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -1811,51 +1345,31 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names - for the user. + description: Roles is the list of namespaced role names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. + description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind @@ -1867,25 +1381,18 @@ spec: description: Mutation is used to modify matching resources. properties: overlay: - description: Overlay specifies an overlay pattern to modify - resources. DEPRECATED. Use PatchStrategicMerge instead. - Scheduled for removal in release 1.5+. + description: Overlay specifies an overlay pattern to modify resources. DEPRECATED. Use PatchStrategicMerge instead. Scheduled for removal in release 1.5+. x-kubernetes-preserve-unknown-fields: true patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + description: PatchStrategicMerge is a strategic merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patches: - description: Patches specifies a RFC 6902 JSON Patch to - modify resources. DEPRECATED. Use PatchesJSON6902 instead. - Scheduled for removal in release 1.5+. + description: Patches specifies a RFC 6902 JSON Patch to modify resources. DEPRECATED. Use PatchesJSON6902 instead. Scheduled for removal in release 1.5+. items: description: 'Patch is a RFC 6902 JSON Patch. See: https://tools.ietf.org/html/rfc6902' properties: op: - description: Operation specifies operations supported - by JSON Patch. i.e:- add, replace and delete. + description: Operation specifies operations supported by JSON Patch. i.e:- add, replace and delete. type: string path: description: Path specifies path of the resource. @@ -1898,27 +1405,19 @@ spec: type: array x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string type: object name: - description: Name is a label to identify the rule, It must be - unique within the policy. + description: Name is a label to identify the rule, It must be unique within the policy. type: string preconditions: - description: Conditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. + description: Conditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. items: - description: Condition defines variable-based conditional - criteria for rule execution. + description: Condition defines variable-based conditional criteria for rule execution. properties: key: - description: Key is the context entry (using JMESPath) - for conditional rule evaluation. + description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true operator: description: Operator is the operation to perform. @@ -1929,9 +1428,7 @@ spec: - NotIn type: string value: - description: Value is the conditional value, or set of - values. The values can be fixed set or can be variables - declared using using JMESPath. + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -1939,23 +1436,18 @@ spec: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: AnyPattern specifies list of validation patterns. At least one of the patterns must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true deny: - description: Deny defines conditions to fail the validation - rule. + description: Deny defines conditions to fail the validation rule. properties: conditions: description: Specifies set of condition to deny. items: - description: Condition defines variable-based conditional - criteria for rule execution. + description: Condition defines variable-based conditional criteria for rule execution. properties: key: - description: Key is the context entry (using JMESPath) - for conditional rule evaluation. + description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true operator: description: Operator is the operation to perform. @@ -1966,102 +1458,80 @@ spec: - NotIn type: string value: - description: Value is the conditional value, or - set of values. The values can be fixed set or - can be variables declared using using JMESPath. + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array type: object message: - description: Message specifies a custom message to be displayed - on failure. + description: Message specifies a custom message to be displayed on failure. type: string pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. + description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true type: object type: object type: array validationFailureAction: - description: ValidationFailureAction controls if a validation policy - rule failure should disallow the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. The default value is "audit". + description: ValidationFailureAction controls if a validation policy rule failure should disallow the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. The default value is "audit". type: string type: object status: description: Status contains policy runtime information. properties: averageExecutionTime: - description: AvgExecutionTime is the average time taken to process - the policy rules on a resource. + description: AvgExecutionTime is the average time taken to process the policy rules on a resource. type: string resourcesBlockedCount: - description: ResourcesBlockedCount is the total count of admission - review requests that were blocked by this policy. + description: ResourcesBlockedCount is the total count of admission review requests that were blocked by this policy. type: integer resourcesGeneratedCount: - description: ResourcesGeneratedCount is the total count of resources - that were generated by this policy. + description: ResourcesGeneratedCount is the total count of resources that were generated by this policy. type: integer resourcesMutatedCount: - description: ResourcesMutatedCount is the total count of resources - that were mutated by this policy. + description: ResourcesMutatedCount is the total count of resources that were mutated by this policy. type: integer ruleStatus: description: Rules provides per rule statistics items: - description: RuleStats provides statistics for an individual rule - within a policy. + description: RuleStats provides statistics for an individual rule within a policy. properties: appliedCount: - description: AppliedCount is the total number of times this - rule was applied. + description: AppliedCount is the total number of times this rule was applied. type: integer averageExecutionTime: - description: ExecutionTime is the average time taken to execute - this rule. + description: ExecutionTime is the average time taken to execute this rule. type: string failedCount: - description: FailedCount is the total count of policy error - results for this rule. + description: FailedCount is the total count of policy error results for this rule. type: integer resourcesBlockedCount: - description: ResourcesBlockedCount is the total count of admission - review requests that were blocked by this rule. + description: ResourcesBlockedCount is the total count of admission review requests that were blocked by this rule. type: integer resourcesGeneratedCount: - description: ResourcesGeneratedCount is the total count of resources - that were generated by this rule. + description: ResourcesGeneratedCount is the total count of resources that were generated by this rule. type: integer resourcesMutatedCount: - description: ResourcesMutatedCount is the total count of resources - that were mutated by this rule. + description: ResourcesMutatedCount is the total count of resources that were mutated by this rule. type: integer ruleName: description: Name is the rule name. type: string violationCount: - description: ViolationCount is the total count of policy failure - results for this rule. + description: ViolationCount is the total count of policy failure results for this rule. type: integer required: - ruleName type: object type: array rulesAppliedCount: - description: RulesAppliedCount is the total number of times this policy - was applied. + description: RulesAppliedCount is the total number of times this policy was applied. type: integer rulesFailedCount: - description: RulesFailedCount is the total count of policy execution - errors for this policy. + description: RulesFailedCount is the total count of policy execution errors for this policy. type: integer violationCount: - description: ViolationCount is the total count of policy failure results - for this policy. + description: ViolationCount is the total count of policy failure results for this policy. type: integer type: object required: @@ -2129,22 +1599,17 @@ spec: description: PolicyReport is the Schema for the policyreports API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual - policy + description: PolicyReportResult provides the result for an individual policy properties: category: description: Category indicates policy category @@ -2152,46 +1617,30 @@ spec: data: additionalProperties: type: string - description: Data provides additional information for the policy - rule + description: Data provides additional information for the policy rule type: object message: - description: Message is a short user friendly description of the - policy rule + description: Message is a short user friendly description of the policy rule type: string policy: description: Policy is the name of the policy type: string resourceSelector: - description: ResourceSelector is an optional selector for policy - results that apply to multiple resources. For example, a policy - result may apply to all pods that match a label. Either a Resource - or a ResourceSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -2203,58 +1652,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object resources: - description: Resources is an optional reference to the resource - checked by the policy and rule + description: Resources is an optional reference to the resource checked by the policy and rule items: - description: 'ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular restrictions - like, "must refer only to types A and B" or "UID not honored" - or "name must be restricted". Those cannot be well described - when embedded. 3. Inconsistent validation. Because the usages - are different, the validation rules are different by usage, - which makes it hard for users to predict what will happen. 4. - The fields are both imprecise and overly precise. Kind is not - a precise mapping to a URL. This can produce ambiguity during - interpretation and require a REST mapping. In most cases, the - dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don''t make - new APIs embed an underspecified API type they do not control. - Instead of using this type, create a locally provided and used - type that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - .' + description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -2266,8 +1676,7 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' @@ -2301,23 +1710,13 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. - a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -2329,39 +1728,28 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. + description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -2373,34 +1761,26 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be - evaluated + description: Error provides the count of policies that could not be evaluated type: integer fail: - description: Fail provides the count of policies whose requirements - were not met + description: Fail provides the count of policies whose requirements were not met type: integer pass: - description: Pass provides the count of policies whose requirements - were met + description: Pass provides the count of policies whose requirements were met type: integer skip: - description: Skip indicates the count of policies that were not selected - for evaluation + description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements - were not met + description: Warn provides the count of unscored policies whose requirements were not met type: integer type: object type: object @@ -2462,26 +1842,20 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: ReportChangeRequest is the Schema for the ReportChangeRequests - API + description: ReportChangeRequest is the Schema for the ReportChangeRequests API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual - policy + description: PolicyReportResult provides the result for an individual policy properties: category: description: Category indicates policy category @@ -2489,46 +1863,30 @@ spec: data: additionalProperties: type: string - description: Data provides additional information for the policy - rule + description: Data provides additional information for the policy rule type: object message: - description: Message is a short user friendly description of the - policy rule + description: Message is a short user friendly description of the policy rule type: string policy: description: Policy is the name of the policy type: string resourceSelector: - description: ResourceSelector is an optional selector for policy - results that apply to multiple resources. For example, a policy - result may apply to all pods that match a label. Either a Resource - or a ResourceSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -2540,58 +1898,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object resources: - description: Resources is an optional reference to the resource - checked by the policy and rule + description: Resources is an optional reference to the resource checked by the policy and rule items: - description: 'ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular restrictions - like, "must refer only to types A and B" or "UID not honored" - or "name must be restricted". Those cannot be well described - when embedded. 3. Inconsistent validation. Because the usages - are different, the validation rules are different by usage, - which makes it hard for users to predict what will happen. 4. - The fields are both imprecise and overly precise. Kind is not - a precise mapping to a URL. This can produce ambiguity during - interpretation and require a REST mapping. In most cases, the - dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don''t make - new APIs embed an underspecified API type they do not control. - Instead of using this type, create a locally provided and used - type that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - .' + description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -2603,8 +1922,7 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' @@ -2638,23 +1956,13 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. - a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -2666,39 +1974,28 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. + description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -2710,34 +2007,26 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be - evaluated + description: Error provides the count of policies that could not be evaluated type: integer fail: - description: Fail provides the count of policies whose requirements - were not met + description: Fail provides the count of policies whose requirements were not met type: integer pass: - description: Pass provides the count of policies whose requirements - were met + description: Pass provides the count of policies whose requirements were met type: integer skip: - description: Skip indicates the count of policies that were not selected - for evaluation + description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements - were not met + description: Warn provides the count of unscored policies whose requirements were not met type: integer type: object type: object diff --git a/definitions/install_debug.yaml b/definitions/install_debug.yaml index 690c475a9a..1bfc2a4a4b 100755 --- a/definitions/install_debug.yaml +++ b/definitions/install_debug.yaml @@ -31,18 +31,13 @@ spec: name: v1 schema: openAPIV3Schema: - description: ClusterPolicy declares validation, mutation, and generation behaviors - for matching resources. + description: ClusterPolicy declares validation, mutation, and generation behaviors for matching resources. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -50,27 +45,17 @@ spec: description: Spec declares policy behaviors. properties: background: - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: Background controls if rules are applied to existing resources during a background scan. Optional. Default value is "true". The value must be set to "false" if the policy rule uses variables that are only available in the admission review request (e.g. user name). type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: Rules is a list of Rule instances. A Policy contains multiple rules and each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: Rule defines a validation, mutation, or generation control for matching resources. Each rules contains a match declaration to select resources, and an optional exclude declaration to specify which resources to exclude. properties: context: - description: Context defines variables and data sources that - can be used during rule execution. + description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context + description: ContextEntry adds variables and data sources to a rule Context properties: configMap: description: ConfigMapReference refers to a ConfigMap @@ -85,29 +70,20 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role. properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. + description: ClusterRoles is the list of cluster-wide role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. + description: ResourceDescription contains information about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -115,50 +91,29 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name - supports wildcard characters "*" (matches zero or - many characters) and "?" (at least one character). + description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the - selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -170,51 +125,31 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names - for the user. + description: Roles is the list of namespaced role names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. + description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind @@ -229,9 +164,7 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specified the source resource used to - populate each generated resource. Exactly one of Data - or Clone must be specified. + description: Clone specified the source resource used to populate each generated resource. Exactly one of Data or Clone must be specified. properties: name: description: Name specifies name of the resource. @@ -241,9 +174,7 @@ spec: type: string type: object data: - description: Data provides the resource manifest to used - to populate each generated resource. Exactly one of Data - or Clone must be specified. + description: Data provides the resource manifest to used to populate each generated resource. Exactly one of Data or Clone must be specified. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -255,36 +186,24 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. Optional. - Defaults to "false" if not specified. + description: Synchronize controls if generated resources should be kept in-sync with their source resource. Optional. Defaults to "false" if not specified. type: boolean type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: MatchResources defines when this policy rule should be applied. The match criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required. properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. + description: ClusterRoles is the list of cluster-wide role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. + description: ResourceDescription contains information about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -292,50 +211,29 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name - supports wildcard characters "*" (matches zero or - many characters) and "?" (at least one character). + description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the - selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -347,51 +245,31 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names - for the user. + description: Roles is the list of namespaced role names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. + description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind @@ -403,25 +281,18 @@ spec: description: Mutation is used to modify matching resources. properties: overlay: - description: Overlay specifies an overlay pattern to modify - resources. DEPRECATED. Use PatchStrategicMerge instead. - Scheduled for removal in release 1.5+. + description: Overlay specifies an overlay pattern to modify resources. DEPRECATED. Use PatchStrategicMerge instead. Scheduled for removal in release 1.5+. x-kubernetes-preserve-unknown-fields: true patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + description: PatchStrategicMerge is a strategic merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patches: - description: Patches specifies a RFC 6902 JSON Patch to - modify resources. DEPRECATED. Use PatchesJSON6902 instead. - Scheduled for removal in release 1.5+. + description: Patches specifies a RFC 6902 JSON Patch to modify resources. DEPRECATED. Use PatchesJSON6902 instead. Scheduled for removal in release 1.5+. items: description: 'Patch is a RFC 6902 JSON Patch. See: https://tools.ietf.org/html/rfc6902' properties: op: - description: Operation specifies operations supported - by JSON Patch. i.e:- add, replace and delete. + description: Operation specifies operations supported by JSON Patch. i.e:- add, replace and delete. type: string path: description: Path specifies path of the resource. @@ -434,27 +305,19 @@ spec: type: array x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string type: object name: - description: Name is a label to identify the rule, It must be - unique within the policy. + description: Name is a label to identify the rule, It must be unique within the policy. type: string preconditions: - description: Conditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. + description: Conditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. items: - description: Condition defines variable-based conditional - criteria for rule execution. + description: Condition defines variable-based conditional criteria for rule execution. properties: key: - description: Key is the context entry (using JMESPath) - for conditional rule evaluation. + description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true operator: description: Operator is the operation to perform. @@ -465,9 +328,7 @@ spec: - NotIn type: string value: - description: Value is the conditional value, or set of - values. The values can be fixed set or can be variables - declared using using JMESPath. + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -475,23 +336,18 @@ spec: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: AnyPattern specifies list of validation patterns. At least one of the patterns must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true deny: - description: Deny defines conditions to fail the validation - rule. + description: Deny defines conditions to fail the validation rule. properties: conditions: description: Specifies set of condition to deny. items: - description: Condition defines variable-based conditional - criteria for rule execution. + description: Condition defines variable-based conditional criteria for rule execution. properties: key: - description: Key is the context entry (using JMESPath) - for conditional rule evaluation. + description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true operator: description: Operator is the operation to perform. @@ -502,102 +358,80 @@ spec: - NotIn type: string value: - description: Value is the conditional value, or - set of values. The values can be fixed set or - can be variables declared using using JMESPath. + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array type: object message: - description: Message specifies a custom message to be displayed - on failure. + description: Message specifies a custom message to be displayed on failure. type: string pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. + description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true type: object type: object type: array validationFailureAction: - description: ValidationFailureAction controls if a validation policy - rule failure should disallow the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. The default value is "audit". + description: ValidationFailureAction controls if a validation policy rule failure should disallow the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. The default value is "audit". type: string type: object status: description: Status contains policy runtime data. properties: averageExecutionTime: - description: AvgExecutionTime is the average time taken to process - the policy rules on a resource. + description: AvgExecutionTime is the average time taken to process the policy rules on a resource. type: string resourcesBlockedCount: - description: ResourcesBlockedCount is the total count of admission - review requests that were blocked by this policy. + description: ResourcesBlockedCount is the total count of admission review requests that were blocked by this policy. type: integer resourcesGeneratedCount: - description: ResourcesGeneratedCount is the total count of resources - that were generated by this policy. + description: ResourcesGeneratedCount is the total count of resources that were generated by this policy. type: integer resourcesMutatedCount: - description: ResourcesMutatedCount is the total count of resources - that were mutated by this policy. + description: ResourcesMutatedCount is the total count of resources that were mutated by this policy. type: integer ruleStatus: description: Rules provides per rule statistics items: - description: RuleStats provides statistics for an individual rule - within a policy. + description: RuleStats provides statistics for an individual rule within a policy. properties: appliedCount: - description: AppliedCount is the total number of times this - rule was applied. + description: AppliedCount is the total number of times this rule was applied. type: integer averageExecutionTime: - description: ExecutionTime is the average time taken to execute - this rule. + description: ExecutionTime is the average time taken to execute this rule. type: string failedCount: - description: FailedCount is the total count of policy error - results for this rule. + description: FailedCount is the total count of policy error results for this rule. type: integer resourcesBlockedCount: - description: ResourcesBlockedCount is the total count of admission - review requests that were blocked by this rule. + description: ResourcesBlockedCount is the total count of admission review requests that were blocked by this rule. type: integer resourcesGeneratedCount: - description: ResourcesGeneratedCount is the total count of resources - that were generated by this rule. + description: ResourcesGeneratedCount is the total count of resources that were generated by this rule. type: integer resourcesMutatedCount: - description: ResourcesMutatedCount is the total count of resources - that were mutated by this rule. + description: ResourcesMutatedCount is the total count of resources that were mutated by this rule. type: integer ruleName: description: Name is the rule name. type: string violationCount: - description: ViolationCount is the total count of policy failure - results for this rule. + description: ViolationCount is the total count of policy failure results for this rule. type: integer required: - ruleName type: object type: array rulesAppliedCount: - description: RulesAppliedCount is the total number of times this policy - was applied. + description: RulesAppliedCount is the total number of times this policy was applied. type: integer rulesFailedCount: - description: RulesFailedCount is the total count of policy execution - errors for this policy. + description: RulesFailedCount is the total count of policy execution errors for this policy. type: integer violationCount: - description: ViolationCount is the total count of policy failure results - for this policy. + description: ViolationCount is the total count of policy failure results for this policy. type: integer type: object required: @@ -662,26 +496,20 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: ClusterPolicyReport is the Schema for the clusterpolicyreports - API + description: ClusterPolicyReport is the Schema for the clusterpolicyreports API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual - policy + description: PolicyReportResult provides the result for an individual policy properties: category: description: Category indicates policy category @@ -689,46 +517,30 @@ spec: data: additionalProperties: type: string - description: Data provides additional information for the policy - rule + description: Data provides additional information for the policy rule type: object message: - description: Message is a short user friendly description of the - policy rule + description: Message is a short user friendly description of the policy rule type: string policy: description: Policy is the name of the policy type: string resourceSelector: - description: ResourceSelector is an optional selector for policy - results that apply to multiple resources. For example, a policy - result may apply to all pods that match a label. Either a Resource - or a ResourceSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -740,58 +552,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object resources: - description: Resources is an optional reference to the resource - checked by the policy and rule + description: Resources is an optional reference to the resource checked by the policy and rule items: - description: 'ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular restrictions - like, "must refer only to types A and B" or "UID not honored" - or "name must be restricted". Those cannot be well described - when embedded. 3. Inconsistent validation. Because the usages - are different, the validation rules are different by usage, - which makes it hard for users to predict what will happen. 4. - The fields are both imprecise and overly precise. Kind is not - a precise mapping to a URL. This can produce ambiguity during - interpretation and require a REST mapping. In most cases, the - dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don''t make - new APIs embed an underspecified API type they do not control. - Instead of using this type, create a locally provided and used - type that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - .' + description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -803,8 +576,7 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' @@ -838,23 +610,13 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. - a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -866,39 +628,28 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. + description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -910,34 +661,26 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be - evaluated + description: Error provides the count of policies that could not be evaluated type: integer fail: - description: Fail provides the count of policies whose requirements - were not met + description: Fail provides the count of policies whose requirements were not met type: integer pass: - description: Pass provides the count of policies whose requirements - were met + description: Pass provides the count of policies whose requirements were met type: integer skip: - description: Skip indicates the count of policies that were not selected - for evaluation + description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements - were not met + description: Warn provides the count of unscored policies whose requirements were not met type: integer type: object type: object @@ -997,26 +740,20 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: ClusterReportChangeRequest is the Schema for the ClusterReportChangeRequests - API + description: ClusterReportChangeRequest is the Schema for the ClusterReportChangeRequests API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual - policy + description: PolicyReportResult provides the result for an individual policy properties: category: description: Category indicates policy category @@ -1024,46 +761,30 @@ spec: data: additionalProperties: type: string - description: Data provides additional information for the policy - rule + description: Data provides additional information for the policy rule type: object message: - description: Message is a short user friendly description of the - policy rule + description: Message is a short user friendly description of the policy rule type: string policy: description: Policy is the name of the policy type: string resourceSelector: - description: ResourceSelector is an optional selector for policy - results that apply to multiple resources. For example, a policy - result may apply to all pods that match a label. Either a Resource - or a ResourceSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -1075,58 +796,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object resources: - description: Resources is an optional reference to the resource - checked by the policy and rule + description: Resources is an optional reference to the resource checked by the policy and rule items: - description: 'ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular restrictions - like, "must refer only to types A and B" or "UID not honored" - or "name must be restricted". Those cannot be well described - when embedded. 3. Inconsistent validation. Because the usages - are different, the validation rules are different by usage, - which makes it hard for users to predict what will happen. 4. - The fields are both imprecise and overly precise. Kind is not - a precise mapping to a URL. This can produce ambiguity during - interpretation and require a REST mapping. In most cases, the - dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don''t make - new APIs embed an underspecified API type they do not control. - Instead of using this type, create a locally provided and used - type that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - .' + description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -1138,8 +820,7 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' @@ -1173,23 +854,13 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. - a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -1201,39 +872,28 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. + description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -1245,34 +905,26 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be - evaluated + description: Error provides the count of policies that could not be evaluated type: integer fail: - description: Fail provides the count of policies whose requirements - were not met + description: Fail provides the count of policies whose requirements were not met type: integer pass: - description: Pass provides the count of policies whose requirements - were met + description: Pass provides the count of policies whose requirements were met type: integer skip: - description: Skip indicates the count of policies that were not selected - for evaluation + description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements - were not met + description: Warn provides the count of unscored policies whose requirements were not met type: integer type: object type: object @@ -1329,14 +981,10 @@ spec: description: GenerateRequest is a request to process generate rule. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -1347,12 +995,10 @@ spec: description: Context ... properties: userInfo: - description: RequestInfo contains permission info carried in an - admission request. + description: RequestInfo contains permission info carried in an admission request. properties: clusterRoles: - description: ClusterRoles is a list of possible clusterRoles - send the request. + description: ClusterRoles is a list of possible clusterRoles send the request. items: type: string nullable: true @@ -1364,18 +1010,15 @@ spec: nullable: true type: array userInfo: - description: UserInfo is the userInfo carried in the admission - request. + description: UserInfo is the userInfo carried in the admission request. properties: extra: additionalProperties: - description: ExtraValue masks the value so protobuf - can generate + description: ExtraValue masks the value so protobuf can generate items: type: string type: array - description: Any additional information provided by the - authenticator. + description: Any additional information provided by the authenticator. type: object groups: description: The names of groups this user is a part of. @@ -1383,14 +1026,10 @@ spec: type: string type: array uid: - description: A unique value that identifies this user - across time. If this user is deleted and another user - by the same name is added, they will have different - UIDs. + description: A unique value that identifies this user across time. If this user is deleted and another user by the same name is added, they will have different UIDs. type: string username: - description: The name that uniquely identifies this user - among all active users. + description: The name that uniquely identifies this user among all active users. type: string type: object type: object @@ -1399,8 +1038,7 @@ spec: description: Specifies the name of the policy. type: string resource: - description: ResourceSpec is the information to identify the generate - request. + description: ResourceSpec is the information to identify the generate request. properties: apiVersion: description: APIVersion specifies resource apiVersion. @@ -1424,8 +1062,7 @@ spec: description: Status contains statistics related to generate request. properties: generatedResources: - description: This will track the resources that are generated by the - generate Policy. Will be used during clean up resources. + description: This will track the resources that are generated by the generate Policy. Will be used during clean up resources. items: description: ResourceSpec contains information to identify a resource. properties: @@ -1494,19 +1131,13 @@ spec: name: v1 schema: openAPIV3Schema: - description: 'Policy declares validation, mutation, and generation behaviors - for matching resources. See: https://kyverno.io/docs/writing-policies/ for - more information.' + description: 'Policy declares validation, mutation, and generation behaviors for matching resources. See: https://kyverno.io/docs/writing-policies/ for more information.' properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -1514,27 +1145,17 @@ spec: description: Spec defines policy behaviors and contains one or rules. properties: background: - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: Background controls if rules are applied to existing resources during a background scan. Optional. Default value is "true". The value must be set to "false" if the policy rule uses variables that are only available in the admission review request (e.g. user name). type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: Rules is a list of Rule instances. A Policy contains multiple rules and each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: Rule defines a validation, mutation, or generation control for matching resources. Each rules contains a match declaration to select resources, and an optional exclude declaration to specify which resources to exclude. properties: context: - description: Context defines variables and data sources that - can be used during rule execution. + description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context + description: ContextEntry adds variables and data sources to a rule Context properties: configMap: description: ConfigMapReference refers to a ConfigMap @@ -1549,29 +1170,20 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role. properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. + description: ClusterRoles is the list of cluster-wide role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. + description: ResourceDescription contains information about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1579,50 +1191,29 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name - supports wildcard characters "*" (matches zero or - many characters) and "?" (at least one character). + description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the - selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -1634,51 +1225,31 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names - for the user. + description: Roles is the list of namespaced role names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. + description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind @@ -1693,9 +1264,7 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specified the source resource used to - populate each generated resource. Exactly one of Data - or Clone must be specified. + description: Clone specified the source resource used to populate each generated resource. Exactly one of Data or Clone must be specified. properties: name: description: Name specifies name of the resource. @@ -1705,9 +1274,7 @@ spec: type: string type: object data: - description: Data provides the resource manifest to used - to populate each generated resource. Exactly one of Data - or Clone must be specified. + description: Data provides the resource manifest to used to populate each generated resource. Exactly one of Data or Clone must be specified. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -1719,36 +1286,24 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. Optional. - Defaults to "false" if not specified. + description: Synchronize controls if generated resources should be kept in-sync with their source resource. Optional. Defaults to "false" if not specified. type: boolean type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: MatchResources defines when this policy rule should be applied. The match criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required. properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. + description: ClusterRoles is the list of cluster-wide role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. + description: ResourceDescription contains information about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1756,50 +1311,29 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name - supports wildcard characters "*" (matches zero or - many characters) and "?" (at least one character). + description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the - selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -1811,51 +1345,31 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names - for the user. + description: Roles is the list of namespaced role names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. + description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind @@ -1867,25 +1381,18 @@ spec: description: Mutation is used to modify matching resources. properties: overlay: - description: Overlay specifies an overlay pattern to modify - resources. DEPRECATED. Use PatchStrategicMerge instead. - Scheduled for removal in release 1.5+. + description: Overlay specifies an overlay pattern to modify resources. DEPRECATED. Use PatchStrategicMerge instead. Scheduled for removal in release 1.5+. x-kubernetes-preserve-unknown-fields: true patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + description: PatchStrategicMerge is a strategic merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patches: - description: Patches specifies a RFC 6902 JSON Patch to - modify resources. DEPRECATED. Use PatchesJSON6902 instead. - Scheduled for removal in release 1.5+. + description: Patches specifies a RFC 6902 JSON Patch to modify resources. DEPRECATED. Use PatchesJSON6902 instead. Scheduled for removal in release 1.5+. items: description: 'Patch is a RFC 6902 JSON Patch. See: https://tools.ietf.org/html/rfc6902' properties: op: - description: Operation specifies operations supported - by JSON Patch. i.e:- add, replace and delete. + description: Operation specifies operations supported by JSON Patch. i.e:- add, replace and delete. type: string path: description: Path specifies path of the resource. @@ -1898,27 +1405,19 @@ spec: type: array x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string type: object name: - description: Name is a label to identify the rule, It must be - unique within the policy. + description: Name is a label to identify the rule, It must be unique within the policy. type: string preconditions: - description: Conditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. + description: Conditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. items: - description: Condition defines variable-based conditional - criteria for rule execution. + description: Condition defines variable-based conditional criteria for rule execution. properties: key: - description: Key is the context entry (using JMESPath) - for conditional rule evaluation. + description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true operator: description: Operator is the operation to perform. @@ -1929,9 +1428,7 @@ spec: - NotIn type: string value: - description: Value is the conditional value, or set of - values. The values can be fixed set or can be variables - declared using using JMESPath. + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -1939,23 +1436,18 @@ spec: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: AnyPattern specifies list of validation patterns. At least one of the patterns must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true deny: - description: Deny defines conditions to fail the validation - rule. + description: Deny defines conditions to fail the validation rule. properties: conditions: description: Specifies set of condition to deny. items: - description: Condition defines variable-based conditional - criteria for rule execution. + description: Condition defines variable-based conditional criteria for rule execution. properties: key: - description: Key is the context entry (using JMESPath) - for conditional rule evaluation. + description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true operator: description: Operator is the operation to perform. @@ -1966,102 +1458,80 @@ spec: - NotIn type: string value: - description: Value is the conditional value, or - set of values. The values can be fixed set or - can be variables declared using using JMESPath. + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array type: object message: - description: Message specifies a custom message to be displayed - on failure. + description: Message specifies a custom message to be displayed on failure. type: string pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. + description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true type: object type: object type: array validationFailureAction: - description: ValidationFailureAction controls if a validation policy - rule failure should disallow the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. The default value is "audit". + description: ValidationFailureAction controls if a validation policy rule failure should disallow the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. The default value is "audit". type: string type: object status: description: Status contains policy runtime information. properties: averageExecutionTime: - description: AvgExecutionTime is the average time taken to process - the policy rules on a resource. + description: AvgExecutionTime is the average time taken to process the policy rules on a resource. type: string resourcesBlockedCount: - description: ResourcesBlockedCount is the total count of admission - review requests that were blocked by this policy. + description: ResourcesBlockedCount is the total count of admission review requests that were blocked by this policy. type: integer resourcesGeneratedCount: - description: ResourcesGeneratedCount is the total count of resources - that were generated by this policy. + description: ResourcesGeneratedCount is the total count of resources that were generated by this policy. type: integer resourcesMutatedCount: - description: ResourcesMutatedCount is the total count of resources - that were mutated by this policy. + description: ResourcesMutatedCount is the total count of resources that were mutated by this policy. type: integer ruleStatus: description: Rules provides per rule statistics items: - description: RuleStats provides statistics for an individual rule - within a policy. + description: RuleStats provides statistics for an individual rule within a policy. properties: appliedCount: - description: AppliedCount is the total number of times this - rule was applied. + description: AppliedCount is the total number of times this rule was applied. type: integer averageExecutionTime: - description: ExecutionTime is the average time taken to execute - this rule. + description: ExecutionTime is the average time taken to execute this rule. type: string failedCount: - description: FailedCount is the total count of policy error - results for this rule. + description: FailedCount is the total count of policy error results for this rule. type: integer resourcesBlockedCount: - description: ResourcesBlockedCount is the total count of admission - review requests that were blocked by this rule. + description: ResourcesBlockedCount is the total count of admission review requests that were blocked by this rule. type: integer resourcesGeneratedCount: - description: ResourcesGeneratedCount is the total count of resources - that were generated by this rule. + description: ResourcesGeneratedCount is the total count of resources that were generated by this rule. type: integer resourcesMutatedCount: - description: ResourcesMutatedCount is the total count of resources - that were mutated by this rule. + description: ResourcesMutatedCount is the total count of resources that were mutated by this rule. type: integer ruleName: description: Name is the rule name. type: string violationCount: - description: ViolationCount is the total count of policy failure - results for this rule. + description: ViolationCount is the total count of policy failure results for this rule. type: integer required: - ruleName type: object type: array rulesAppliedCount: - description: RulesAppliedCount is the total number of times this policy - was applied. + description: RulesAppliedCount is the total number of times this policy was applied. type: integer rulesFailedCount: - description: RulesFailedCount is the total count of policy execution - errors for this policy. + description: RulesFailedCount is the total count of policy execution errors for this policy. type: integer violationCount: - description: ViolationCount is the total count of policy failure results - for this policy. + description: ViolationCount is the total count of policy failure results for this policy. type: integer type: object required: @@ -2129,22 +1599,17 @@ spec: description: PolicyReport is the Schema for the policyreports API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual - policy + description: PolicyReportResult provides the result for an individual policy properties: category: description: Category indicates policy category @@ -2152,46 +1617,30 @@ spec: data: additionalProperties: type: string - description: Data provides additional information for the policy - rule + description: Data provides additional information for the policy rule type: object message: - description: Message is a short user friendly description of the - policy rule + description: Message is a short user friendly description of the policy rule type: string policy: description: Policy is the name of the policy type: string resourceSelector: - description: ResourceSelector is an optional selector for policy - results that apply to multiple resources. For example, a policy - result may apply to all pods that match a label. Either a Resource - or a ResourceSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -2203,58 +1652,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object resources: - description: Resources is an optional reference to the resource - checked by the policy and rule + description: Resources is an optional reference to the resource checked by the policy and rule items: - description: 'ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular restrictions - like, "must refer only to types A and B" or "UID not honored" - or "name must be restricted". Those cannot be well described - when embedded. 3. Inconsistent validation. Because the usages - are different, the validation rules are different by usage, - which makes it hard for users to predict what will happen. 4. - The fields are both imprecise and overly precise. Kind is not - a precise mapping to a URL. This can produce ambiguity during - interpretation and require a REST mapping. In most cases, the - dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don''t make - new APIs embed an underspecified API type they do not control. - Instead of using this type, create a locally provided and used - type that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - .' + description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -2266,8 +1676,7 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' @@ -2301,23 +1710,13 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. - a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -2329,39 +1728,28 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. + description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -2373,34 +1761,26 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be - evaluated + description: Error provides the count of policies that could not be evaluated type: integer fail: - description: Fail provides the count of policies whose requirements - were not met + description: Fail provides the count of policies whose requirements were not met type: integer pass: - description: Pass provides the count of policies whose requirements - were met + description: Pass provides the count of policies whose requirements were met type: integer skip: - description: Skip indicates the count of policies that were not selected - for evaluation + description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements - were not met + description: Warn provides the count of unscored policies whose requirements were not met type: integer type: object type: object @@ -2462,26 +1842,20 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: ReportChangeRequest is the Schema for the ReportChangeRequests - API + description: ReportChangeRequest is the Schema for the ReportChangeRequests API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual - policy + description: PolicyReportResult provides the result for an individual policy properties: category: description: Category indicates policy category @@ -2489,46 +1863,30 @@ spec: data: additionalProperties: type: string - description: Data provides additional information for the policy - rule + description: Data provides additional information for the policy rule type: object message: - description: Message is a short user friendly description of the - policy rule + description: Message is a short user friendly description of the policy rule type: string policy: description: Policy is the name of the policy type: string resourceSelector: - description: ResourceSelector is an optional selector for policy - results that apply to multiple resources. For example, a policy - result may apply to all pods that match a label. Either a Resource - or a ResourceSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -2540,58 +1898,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object resources: - description: Resources is an optional reference to the resource - checked by the policy and rule + description: Resources is an optional reference to the resource checked by the policy and rule items: - description: 'ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular restrictions - like, "must refer only to types A and B" or "UID not honored" - or "name must be restricted". Those cannot be well described - when embedded. 3. Inconsistent validation. Because the usages - are different, the validation rules are different by usage, - which makes it hard for users to predict what will happen. 4. - The fields are both imprecise and overly precise. Kind is not - a precise mapping to a URL. This can produce ambiguity during - interpretation and require a REST mapping. In most cases, the - dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don''t make - new APIs embed an underspecified API type they do not control. - Instead of using this type, create a locally provided and used - type that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - .' + description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -2603,8 +1922,7 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' @@ -2638,23 +1956,13 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. - a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -2666,39 +1974,28 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. + description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -2710,34 +2007,26 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be - evaluated + description: Error provides the count of policies that could not be evaluated type: integer fail: - description: Fail provides the count of policies whose requirements - were not met + description: Fail provides the count of policies whose requirements were not met type: integer pass: - description: Pass provides the count of policies whose requirements - were met + description: Pass provides the count of policies whose requirements were met type: integer skip: - description: Skip indicates the count of policies that were not selected - for evaluation + description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements - were not met + description: Warn provides the count of unscored policies whose requirements were not met type: integer type: object type: object