mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
Code Activity

fix: CRDs codegen (#9542)

Browse source 
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2024-01-29 10:45:52 +01:00 committed by GitHub
parent 747bc017e5
commit 90cff77300
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
35 changed files with 2199 additions and 3964 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

50
Makefile
View file

@ -482,20 +482,29 @@ codegen-client-all: codegen-register codegen-defaulters codegen-applyconfigurati
.PHONY: codegen-crds-kyverno
codegen-crds-kyverno: $(CONTROLLER_GEN) ## Generate kyverno CRDs
@echo Generate kyverno crds... >&2
@$(CONTROLLER_GEN) crd paths=./api/kyverno/... crd:crdVersions=v1 output:dir=$(CRDS_PATH)
@rm -rf $(CRDS_PATH)/kyverno && mkdir -p $(CRDS_PATH)/kyverno
@$(CONTROLLER_GEN) crd paths=./api/kyverno/... crd:crdVersions=v1 output:dir=$(CRDS_PATH)/kyverno
.PHONY: codegen-crds-report
codegen-crds-report: $(CONTROLLER_GEN) ## Generate policy reports CRDs
.PHONY: codegen-crds-policyreport
codegen-crds-policyreport: $(CONTROLLER_GEN) ## Generate policy reports CRDs
@echo Generate policy reports crds... >&2
@$(CONTROLLER_GEN) crd paths=./api/policyreport/... crd:crdVersions=v1 output:dir=$(CRDS_PATH)
@rm -rf $(CRDS_PATH)/policyreport && mkdir -p $(CRDS_PATH)/policyreport
@$(CONTROLLER_GEN) crd paths=./api/policyreport/... crd:crdVersions=v1 output:dir=$(CRDS_PATH)/policyreport
.PHONY: codegen-crds-reports
codegen-crds-reports: $(CONTROLLER_GEN) ## Generate reports CRDs
@echo Generate policy reports crds... >&2
@rm -rf $(CRDS_PATH)/reports && mkdir -p $(CRDS_PATH)/reports
@$(CONTROLLER_GEN) crd paths=./api/reports/... crd:crdVersions=v1 output:dir=$(CRDS_PATH)/reports
.PHONY: codegen-crds-cli
codegen-crds-cli: $(CONTROLLER_GEN) ## Generate CLI CRDs
@echo Generate cli crds... >&2
@rm -rf ${PWD}/cmd/cli/kubectl-kyverno/config/crds && mkdir -p ${PWD}/cmd/cli/kubectl-kyverno/config/crds
@$(CONTROLLER_GEN) crd paths=./cmd/cli/kubectl-kyverno/apis/... crd:crdVersions=v1 output:dir=${PWD}/cmd/cli/kubectl-kyverno/config/crds
.PHONY: codegen-crds-all
codegen-crds-all: codegen-crds-kyverno codegen-crds-report codegen-cli-crds ## Generate all CRDs
codegen-crds-all: codegen-crds-kyverno codegen-crds-policyreport codegen-crds-reports codegen-cli-crds ## Generate all CRDs
.PHONY: codegen-helm-docs
codegen-helm-docs: ## Generate helm docs
@ -532,9 +541,9 @@ codegen-cli-docs: $(CLI_BIN) ## Generate CLI docs
codegen-cli-crds: codegen-crds-kyverno ## Copy generated CRDs to embed in the CLI
@echo Copy generated CRDs to embed in the CLI... >&2
@rm -rf cmd/cli/kubectl-kyverno/data/crds && mkdir -p cmd/cli/kubectl-kyverno/data/crds
@cp config/crds/kyverno.io_clusterpolicies.yaml cmd/cli/kubectl-kyverno/data/crds
@cp config/crds/kyverno.io_policies.yaml cmd/cli/kubectl-kyverno/data/crds
@cp config/crds/kyverno.io_policyexceptions.yaml cmd/cli/kubectl-kyverno/data/crds
@cp config/crds/kyverno/kyverno.io_clusterpolicies.yaml cmd/cli/kubectl-kyverno/data/crds
@cp config/crds/kyverno/kyverno.io_policies.yaml cmd/cli/kubectl-kyverno/data/crds
@cp config/crds/kyverno/kyverno.io_policyexceptions.yaml cmd/cli/kubectl-kyverno/data/crds
@cp cmd/cli/kubectl-kyverno/config/crds/* cmd/cli/kubectl-kyverno/data/crds
.PHONY: codegen-docs-all
@ -556,13 +565,34 @@ codegen-cli-all: codegen-cli-crds codegen-cli-docs codegen-cli-api-docs codegen-
.PHONY: codegen-helm-crds
codegen-helm-crds: codegen-crds-all ## Generate helm CRDs
@echo Generate helm crds... >&2
@cat $(CRDS_PATH)/* \
@rm -rf ./charts/kyverno/charts/crds/templates/*.yaml
@echo "{{- if .Values.groups.kyverno }}" > ./charts/kyverno/charts/crds/templates/kyverno.yaml
@cat $(CRDS_PATH)/kyverno/* \
| $(SED) -e '/^ annotations:/a \ \ \ \ {{- end }}' \
| $(SED) -e '/^ annotations:/a \ \ \ \ {{- toYaml . | nindent 4 }}' \
| $(SED) -e '/^ annotations:/a \ \ \ \ {{- with .Values.annotations }}' \
| $(SED) -e '/^ annotations:/i \ \ labels:' \
| $(SED) -e '/^ labels:/a \ \ \ \ {{- include "kyverno.crds.labels" . | nindent 4 }}' \
> ./charts/kyverno/charts/crds/templates/crds.yaml
>> ./charts/kyverno/charts/crds/templates/kyverno.yaml
@echo "{{- end }}" >> ./charts/kyverno/charts/crds/templates/kyverno.yaml
@echo "{{- if .Values.groups.reports }}" > ./charts/kyverno/charts/crds/templates/reports.yaml
@cat $(CRDS_PATH)/reports/* \
| $(SED) -e '/^ annotations:/a \ \ \ \ {{- end }}' \
| $(SED) -e '/^ annotations:/a \ \ \ \ {{- toYaml . | nindent 4 }}' \
| $(SED) -e '/^ annotations:/a \ \ \ \ {{- with .Values.annotations }}' \
| $(SED) -e '/^ annotations:/i \ \ labels:' \
| $(SED) -e '/^ labels:/a \ \ \ \ {{- include "kyverno.crds.labels" . | nindent 4 }}' \
>> ./charts/kyverno/charts/crds/templates/reports.yaml
@echo "{{- end }}" >> ./charts/kyverno/charts/crds/templates/reports.yaml
@echo "{{- if .Values.groups.policyreport }}" > ./charts/kyverno/charts/crds/templates/policyreport.yaml
@cat $(CRDS_PATH)/policyreport/* \
| $(SED) -e '/^ annotations:/a \ \ \ \ {{- end }}' \
| $(SED) -e '/^ annotations:/a \ \ \ \ {{- toYaml . | nindent 4 }}' \
| $(SED) -e '/^ annotations:/a \ \ \ \ {{- with .Values.annotations }}' \
| $(SED) -e '/^ annotations:/i \ \ labels:' \
| $(SED) -e '/^ labels:/a \ \ \ \ {{- include "kyverno.crds.labels" . | nindent 4 }}' \
>> ./charts/kyverno/charts/crds/templates/policyreport.yaml
@echo "{{- end }}" >> ./charts/kyverno/charts/crds/templates/policyreport.yaml
.PHONY: codegen-helm-all
codegen-helm-all: codegen-helm-crds codegen-helm-docs ## Generate helm docs and CRDs

4
api/reports/v1/ephemeral_report_types.go
View file

@ -38,7 +38,7 @@ type EphemeralReportSpec struct {
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:object:root=true
// +kubebuilder:storageversion
// +kubebuilder:resource:shortName=admr,categories=kyverno
// +kubebuilder:resource:shortName=ephr,categories=kyverno
// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp"
// +kubebuilder:printcolumn:name="PASS",type=integer,JSONPath=".spec.summary.pass"
// +kubebuilder:printcolumn:name="FAIL",type=integer,JSONPath=".spec.summary.fail"
@ -73,7 +73,7 @@ func (r *EphemeralReport) SetSummary(summary policyreportv1alpha2.PolicyReportSu
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:object:root=true
// +kubebuilder:storageversion
// +kubebuilder:resource:scope=Cluster,shortName=cadmr,categories=kyverno
// +kubebuilder:resource:scope=Cluster,shortName=cephr,categories=kyverno
// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp"
// +kubebuilder:printcolumn:name="PASS",type=integer,JSONPath=".spec.summary.pass"
// +kubebuilder:printcolumn:name="FAIL",type=integer,JSONPath=".spec.summary.fail"

3
charts/kyverno/README.md
View file

@ -253,6 +253,9 @@ The chart values are organised per component.
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| crds.install | bool | `true` | Whether to have Helm install the Kyverno CRDs, if the CRDs are not installed by Helm, they must be added before policies can be created |
| crds.groups.kyverno | bool | `true` | Install CRDs in group `kyverno.io` |
| crds.groups.policyreport | bool | `true` | Install CRDs in group `wgpolicyk8s.io` |
| crds.groups.reports | bool | `true` | Install CRDs in group `reports.kyverno.io` |
| crds.annotations | object | `{}` | Additional CRDs annotations |
| crds.customLabels | object | `{}` | Additional CRDs labels |
| crds.migration.enabled | bool | `true` | Enable CRDs migration using helm post upgrade hook |

3
charts/kyverno/charts/crds/README.md
View file

@ -6,6 +6,9 @@
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| groups.kyverno | bool | `true` | This field can be overwritten by setting crds.labels in the parent chart |
| groups.policyreport | bool | `true` | This field can be overwritten by setting crds.labels in the parent chart |
| groups.reports | bool | `true` | This field can be overwritten by setting crds.labels in the parent chart |
| annotations | object | `{}` | This field can be overwritten by setting crds.annotations in the parent chart |
| customLabels | object | `{}` | This field can be overwritten by setting crds.labels in the parent chart |

2006
charts/kyverno/charts/crds/templates/crds.yaml → charts/kyverno/charts/crds/templates/kyverno.yaml
View file

File diff suppressed because it is too large Load diff

731
charts/kyverno/charts/crds/templates/policyreport.yaml Normal file
View file

@ -0,0 +1,731 @@
{{- if .Values.groups.policyreport }}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
labels:
{{- include "kyverno.crds.labels" . | nindent 4 }}
annotations:
{{- with .Values.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
controller-gen.kubebuilder.io/version: v0.12.0
name: clusterpolicyreports.wgpolicyk8s.io
spec:
group: wgpolicyk8s.io
names:
kind: ClusterPolicyReport
listKind: ClusterPolicyReportList
plural: clusterpolicyreports
shortNames:
- cpolr
singular: clusterpolicyreport
scope: Cluster
versions:
- additionalPrinterColumns:
- jsonPath: .scope.kind
name: Kind
type: string
- jsonPath: .scope.name
name: Name
type: string
- jsonPath: .summary.pass
name: Pass
type: integer
- jsonPath: .summary.fail
name: Fail
type: integer
- jsonPath: .summary.warn
name: Warn
type: integer
- jsonPath: .summary.error
name: Error
type: integer
- jsonPath: .summary.skip
name: Skip
type: integer
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha2
schema:
openAPIV3Schema:
description: ClusterPolicyReport is the Schema for the clusterpolicyreports
API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
results:
description: PolicyReportResult provides result details
items:
description: PolicyReportResult provides the result for an individual
policy
properties:
category:
description: Category indicates policy category
type: string
message:
description: Description is a short user friendly message for the
policy rule
type: string
policy:
description: Policy is the name or identifier of the policy
type: string
properties:
additionalProperties:
type: string
description: Properties provides additional information for the
policy rule
type: object
resourceSelector:
description: SubjectSelector is an optional label selector for checked
Kubernetes resources. For example, a policy result may apply to
all pods that match a label. Either a Subject or a SubjectSelector
can be specified. If neither are provided, the result is assumed
to be for the policy report scope.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: A label selector requirement is a selector that
contains values, a key, and an operator that relates the
key and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are In, NotIn, Exists
and DoesNotExist.
type: string
values:
description: values is an array of string values. If the
operator is In or NotIn, the values array must be non-empty.
If the operator is Exists or DoesNotExist, the values
array must be empty. This array is replaced during a
strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single
{key,value} in the matchLabels map is equivalent to an element
of matchExpressions, whose key field is "key", the operator
is "In", and the values array contains only "value". The requirements
are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
resources:
description: Subjects is an optional reference to the checked Kubernetes
resources
items:
description: "ObjectReference contains enough information to let
you inspect or modify the referred object. --- New uses of this
type are discouraged because of difficulty describing its usage
when embedded in APIs. 1. Ignored fields. It includes many
fields which are not generally honored. For instance, ResourceVersion
and FieldPath are both very rarely valid in actual usage. 2.
Invalid usage help. It is impossible to add specific help for
individual usage. In most embedded usages, there are particular
restrictions like, \"must refer only to types A and B\" or \"UID
not honored\" or \"name must be restricted\". Those cannot be
well described when embedded. 3. Inconsistent validation. Because
the usages are different, the validation rules are different
by usage, which makes it hard for users to predict what will
happen. 4. The fields are both imprecise and overly precise.
\ Kind is not a precise mapping to a URL. This can produce ambiguity
during interpretation and require a REST mapping. In most cases,
the dependency is on the group,resource tuple and the version
of the actual struct is irrelevant. 5. We cannot easily change
it. Because this type is embedded in many locations, updates
to this type will affect numerous schemas. Don't make new APIs
embed an underspecified API type they do not control. \n Instead
of using this type, create a locally provided and used type
that is well-focused on your reference. For example, ServiceReferences
for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
."
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
description: 'If referring to a piece of an object instead
of an entire object, this string should contain a valid
JSON/Go field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container within
a pod, this would take on a value like: "spec.containers{name}"
(where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]"
(container with index 2 in this pod). This syntax is chosen
only to have some well-defined way of referencing a part
of an object. TODO: this design is not final and this field
is subject to change in the future.'
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
resourceVersion:
description: 'Specific resourceVersion to which this reference
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string
uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
x-kubernetes-map-type: atomic
type: array
result:
description: Result indicates the outcome of the policy rule execution
enum:
- pass
- fail
- warn
- error
- skip
type: string
rule:
description: Rule is the name or identifier of the rule within the
policy
type: string
scored:
description: Scored indicates if this result is scored
type: boolean
severity:
description: Severity indicates policy check result criticality
enum:
- critical
- high
- low
- medium
- info
type: string
source:
description: Source is an identifier for the policy engine that
manages this report
type: string
timestamp:
description: Timestamp indicates the time the result was found
properties:
nanos:
description: Non-negative fractions of a second at nanosecond
resolution. Negative second values with fractions must still
have non-negative nanos values that count forward in time.
Must be from 0 to 999,999,999 inclusive. This field may be
limited in precision depending on context.
format: int32
type: integer
seconds:
description: Represents seconds of UTC time since Unix epoch
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
9999-12-31T23:59:59Z inclusive.
format: int64
type: integer
required:
- nanos
- seconds
type: object
required:
- policy
type: object
type: array
scope:
description: Scope is an optional reference to the report scope (e.g.
a Deployment, Namespace, or Node)
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
description: 'If referring to a piece of an object instead of an entire
object, this string should contain a valid JSON/Go field access
statement, such as desiredState.manifest.containers[2]. For example,
if the object reference is to a container within a pod, this would
take on a value like: "spec.containers{name}" (where "name" refers
to the name of the container that triggered the event) or if no
container name is specified "spec.containers[2]" (container with
index 2 in this pod). This syntax is chosen only to have some well-defined
way of referencing a part of an object. TODO: this design is not
final and this field is subject to change in the future.'
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
resourceVersion:
description: 'Specific resourceVersion to which this reference is
made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string
uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
x-kubernetes-map-type: atomic
scopeSelector:
description: ScopeSelector is an optional selector for multiple scopes
(e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
should be specified.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains
values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
description: operator represents a key's relationship to a set
of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator
is In or NotIn, the values array must be non-empty. If the
operator is Exists or DoesNotExist, the values array must
be empty. This array is replaced during a strategic merge
patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value}
in the matchLabels map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In", and the values array
contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
summary:
description: PolicyReportSummary provides a summary of results
properties:
error:
description: Error provides the count of policies that could not be
evaluated
type: integer
fail:
description: Fail provides the count of policies whose requirements
were not met
type: integer
pass:
description: Pass provides the count of policies whose requirements
were met
type: integer
skip:
description: Skip indicates the count of policies that were not selected
for evaluation
type: integer
warn:
description: Warn provides the count of non-scored policies whose
requirements were not met
type: integer
type: object
type: object
served: true
storage: true
subresources: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
labels:
{{- include "kyverno.crds.labels" . | nindent 4 }}
annotations:
{{- with .Values.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
controller-gen.kubebuilder.io/version: v0.12.0
name: policyreports.wgpolicyk8s.io
spec:
group: wgpolicyk8s.io
names:
kind: PolicyReport
listKind: PolicyReportList
plural: policyreports
shortNames:
- polr
singular: policyreport
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .scope.kind
name: Kind
type: string
- jsonPath: .scope.name
name: Name
type: string
- jsonPath: .summary.pass
name: Pass
type: integer
- jsonPath: .summary.fail
name: Fail
type: integer
- jsonPath: .summary.warn
name: Warn
type: integer
- jsonPath: .summary.error
name: Error
type: integer
- jsonPath: .summary.skip
name: Skip
type: integer
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha2
schema:
openAPIV3Schema:
description: PolicyReport is the Schema for the policyreports API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
results:
description: PolicyReportResult provides result details
items:
description: PolicyReportResult provides the result for an individual
policy
properties:
category:
description: Category indicates policy category
type: string
message:
description: Description is a short user friendly message for the
policy rule
type: string
policy:
description: Policy is the name or identifier of the policy
type: string
properties:
additionalProperties:
type: string
description: Properties provides additional information for the
policy rule
type: object
resourceSelector:
description: SubjectSelector is an optional label selector for checked
Kubernetes resources. For example, a policy result may apply to
all pods that match a label. Either a Subject or a SubjectSelector
can be specified. If neither are provided, the result is assumed
to be for the policy report scope.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: A label selector requirement is a selector that
contains values, a key, and an operator that relates the
key and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are In, NotIn, Exists
and DoesNotExist.
type: string
values:
description: values is an array of string values. If the
operator is In or NotIn, the values array must be non-empty.
If the operator is Exists or DoesNotExist, the values
array must be empty. This array is replaced during a
strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single
{key,value} in the matchLabels map is equivalent to an element
of matchExpressions, whose key field is "key", the operator
is "In", and the values array contains only "value". The requirements
are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
resources:
description: Subjects is an optional reference to the checked Kubernetes
resources
items:
description: "ObjectReference contains enough information to let
you inspect or modify the referred object. --- New uses of this
type are discouraged because of difficulty describing its usage
when embedded in APIs. 1. Ignored fields. It includes many
fields which are not generally honored. For instance, ResourceVersion
and FieldPath are both very rarely valid in actual usage. 2.
Invalid usage help. It is impossible to add specific help for
individual usage. In most embedded usages, there are particular
restrictions like, \"must refer only to types A and B\" or \"UID
not honored\" or \"name must be restricted\". Those cannot be
well described when embedded. 3. Inconsistent validation. Because
the usages are different, the validation rules are different
by usage, which makes it hard for users to predict what will
happen. 4. The fields are both imprecise and overly precise.
\ Kind is not a precise mapping to a URL. This can produce ambiguity
during interpretation and require a REST mapping. In most cases,
the dependency is on the group,resource tuple and the version
of the actual struct is irrelevant. 5. We cannot easily change
it. Because this type is embedded in many locations, updates
to this type will affect numerous schemas. Don't make new APIs
embed an underspecified API type they do not control. \n Instead
of using this type, create a locally provided and used type
that is well-focused on your reference. For example, ServiceReferences
for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
."
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
description: 'If referring to a piece of an object instead
of an entire object, this string should contain a valid
JSON/Go field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container within
a pod, this would take on a value like: "spec.containers{name}"
(where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]"
(container with index 2 in this pod). This syntax is chosen
only to have some well-defined way of referencing a part
of an object. TODO: this design is not final and this field
is subject to change in the future.'
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
resourceVersion:
description: 'Specific resourceVersion to which this reference
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string
uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
x-kubernetes-map-type: atomic
type: array
result:
description: Result indicates the outcome of the policy rule execution
enum:
- pass
- fail
- warn
- error
- skip
type: string
rule:
description: Rule is the name or identifier of the rule within the
policy
type: string
scored:
description: Scored indicates if this result is scored
type: boolean
severity:
description: Severity indicates policy check result criticality
enum:
- critical
- high
- low
- medium
- info
type: string
source:
description: Source is an identifier for the policy engine that
manages this report
type: string
timestamp:
description: Timestamp indicates the time the result was found
properties:
nanos:
description: Non-negative fractions of a second at nanosecond
resolution. Negative second values with fractions must still
have non-negative nanos values that count forward in time.
Must be from 0 to 999,999,999 inclusive. This field may be
limited in precision depending on context.
format: int32
type: integer
seconds:
description: Represents seconds of UTC time since Unix epoch
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
9999-12-31T23:59:59Z inclusive.
format: int64
type: integer
required:
- nanos
- seconds
type: object
required:
- policy
type: object
type: array
scope:
description: Scope is an optional reference to the report scope (e.g.
a Deployment, Namespace, or Node)
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
description: 'If referring to a piece of an object instead of an entire
object, this string should contain a valid JSON/Go field access
statement, such as desiredState.manifest.containers[2]. For example,
if the object reference is to a container within a pod, this would
take on a value like: "spec.containers{name}" (where "name" refers
to the name of the container that triggered the event) or if no
container name is specified "spec.containers[2]" (container with
index 2 in this pod). This syntax is chosen only to have some well-defined
way of referencing a part of an object. TODO: this design is not
final and this field is subject to change in the future.'
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
resourceVersion:
description: 'Specific resourceVersion to which this reference is
made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string
uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
x-kubernetes-map-type: atomic
scopeSelector:
description: ScopeSelector is an optional selector for multiple scopes
(e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
should be specified.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains
values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
description: operator represents a key's relationship to a set
of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator
is In or NotIn, the values array must be non-empty. If the
operator is Exists or DoesNotExist, the values array must
be empty. This array is replaced during a strategic merge
patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value}
in the matchLabels map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In", and the values array
contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
summary:
description: PolicyReportSummary provides a summary of results
properties:
error:
description: Error provides the count of policies that could not be
evaluated
type: integer
fail:
description: Fail provides the count of policies whose requirements
were not met
type: integer
pass:
description: Pass provides the count of policies whose requirements
were met
type: integer
skip:
description: Skip indicates the count of policies that were not selected
for evaluation
type: integer
warn:
description: Warn provides the count of non-scored policies whose
requirements were not met
type: integer
type: object
type: object
served: true
storage: true
subresources: {}
{{- end }}

673
charts/kyverno/charts/crds/templates/reports.yaml Normal file
View file

@ -0,0 +1,673 @@
{{- if .Values.groups.reports }}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
labels:
{{- include "kyverno.crds.labels" . | nindent 4 }}
annotations:
{{- with .Values.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
controller-gen.kubebuilder.io/version: v0.12.0
name: clusterephemeralreports.reports.kyverno.io
spec:
group: reports.kyverno.io
names:
categories:
- kyverno
kind: ClusterEphemeralReport
listKind: ClusterEphemeralReportList
plural: clusterephemeralreports
shortNames:
- cephr
singular: clusterephemeralreport
scope: Cluster
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: AGE
type: date
- jsonPath: .spec.summary.pass
name: PASS
type: integer
- jsonPath: .spec.summary.fail
name: FAIL
type: integer
- jsonPath: .spec.summary.warn
name: WARN
type: integer
- jsonPath: .spec.summary.error
name: ERROR
type: integer
- jsonPath: .spec.summary.skip
name: SKIP
type: integer
- jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.gvr']
name: GVR
type: string
- jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.name']
name: REF
type: string
- jsonPath: .metadata.labels['audit\.kyverno\.io/report\.aggregate']
name: AGGREGATE
priority: 1
type: string
name: v1
schema:
openAPIV3Schema:
description: ClusterEphemeralReport is the Schema for the ClusterEphemeralReports
API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
properties:
owner:
description: Owner is a reference to the report owner (e.g. a Deployment,
Namespace, or Node)
properties:
apiVersion:
description: API version of the referent.
type: string
blockOwnerDeletion:
description: If true, AND if the owner has the "foregroundDeletion"
finalizer, then the owner cannot be deleted from the key-value
store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion
for how the garbage collector interacts with this field and
enforces the foreground deletion. Defaults to false. To set
this field, a user needs "delete" permission of the owner, otherwise
422 (Unprocessable Entity) will be returned.
type: boolean
controller:
description: If true, this reference points to the managing controller.
type: boolean
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names'
type: string
uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids'
type: string
required:
- apiVersion
- kind
- name
- uid
type: object
x-kubernetes-map-type: atomic
results:
description: PolicyReportResult provides result details
items:
description: PolicyReportResult provides the result for an individual
policy
properties:
category:
description: Category indicates policy category
type: string
message:
description: Description is a short user friendly message for
the policy rule
type: string
policy:
description: Policy is the name or identifier of the policy
type: string
properties:
additionalProperties:
type: string
description: Properties provides additional information for
the policy rule
type: object
resourceSelector:
description: SubjectSelector is an optional label selector for
checked Kubernetes resources. For example, a policy result
may apply to all pods that match a label. Either a Subject
or a SubjectSelector can be specified. If neither are provided,
the result is assumed to be for the policy report scope.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector
that contains values, a key, and an operator that relates
the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are In, NotIn,
Exists and DoesNotExist.
type: string
values:
description: values is an array of string values.
If the operator is In or NotIn, the values array
must be non-empty. If the operator is Exists or
DoesNotExist, the values array must be empty. This
array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs.
A single {key,value} in the matchLabels map is equivalent
to an element of matchExpressions, whose key field is
"key", the operator is "In", and the values array contains
only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
resources:
description: Subjects is an optional reference to the checked
Kubernetes resources
items:
description: "ObjectReference contains enough information
to let you inspect or modify the referred object. --- New
uses of this type are discouraged because of difficulty
describing its usage when embedded in APIs. 1. Ignored fields.
\ It includes many fields which are not generally honored.
\ For instance, ResourceVersion and FieldPath are both very
rarely valid in actual usage. 2. Invalid usage help. It
is impossible to add specific help for individual usage.
\ In most embedded usages, there are particular restrictions
like, \"must refer only to types A and B\" or \"UID not
honored\" or \"name must be restricted\". Those cannot be
well described when embedded. 3. Inconsistent validation.
\ Because the usages are different, the validation rules
are different by usage, which makes it hard for users to
predict what will happen. 4. The fields are both imprecise
and overly precise. Kind is not a precise mapping to a
URL. This can produce ambiguity during interpretation and
require a REST mapping. In most cases, the dependency is
on the group,resource tuple and the version of the actual
struct is irrelevant. 5. We cannot easily change it. Because
this type is embedded in many locations, updates to this
type will affect numerous schemas. Don't make new APIs
embed an underspecified API type they do not control. \n
Instead of using this type, create a locally provided and
used type that is well-focused on your reference. For example,
ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
."
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
description: 'If referring to a piece of an object instead
of an entire object, this string should contain a valid
JSON/Go field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container
within a pod, this would take on a value like: "spec.containers{name}"
(where "name" refers to the name of the container that
triggered the event) or if no container name is specified
"spec.containers[2]" (container with index 2 in this
pod). This syntax is chosen only to have some well-defined
way of referencing a part of an object. TODO: this design
is not final and this field is subject to change in
the future.'
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
resourceVersion:
description: 'Specific resourceVersion to which this reference
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string
uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
x-kubernetes-map-type: atomic
type: array
result:
description: Result indicates the outcome of the policy rule
execution
enum:
- pass
- fail
- warn
- error
- skip
type: string
rule:
description: Rule is the name or identifier of the rule within
the policy
type: string
scored:
description: Scored indicates if this result is scored
type: boolean
severity:
description: Severity indicates policy check result criticality
enum:
- critical
- high
- low
- medium
- info
type: string
source:
description: Source is an identifier for the policy engine that
manages this report
type: string
timestamp:
description: Timestamp indicates the time the result was found
properties:
nanos:
description: Non-negative fractions of a second at nanosecond
resolution. Negative second values with fractions must
still have non-negative nanos values that count forward
in time. Must be from 0 to 999,999,999 inclusive. This
field may be limited in precision depending on context.
format: int32
type: integer
seconds:
description: Represents seconds of UTC time since Unix epoch
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z
to 9999-12-31T23:59:59Z inclusive.
format: int64
type: integer
required:
- nanos
- seconds
type: object
required:
- policy
type: object
type: array
summary:
description: PolicyReportSummary provides a summary of results
properties:
error:
description: Error provides the count of policies that could not
be evaluated
type: integer
fail:
description: Fail provides the count of policies whose requirements
were not met
type: integer
pass:
description: Pass provides the count of policies whose requirements
were met
type: integer
skip:
description: Skip indicates the count of policies that were not
selected for evaluation
type: integer
warn:
description: Warn provides the count of non-scored policies whose
requirements were not met
type: integer
type: object
required:
- owner
type: object
required:
- spec
type: object
served: true
storage: true
subresources: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
labels:
{{- include "kyverno.crds.labels" . | nindent 4 }}
annotations:
{{- with .Values.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
controller-gen.kubebuilder.io/version: v0.12.0
name: ephemeralreports.reports.kyverno.io
spec:
group: reports.kyverno.io
names:
categories:
- kyverno
kind: EphemeralReport
listKind: EphemeralReportList
plural: ephemeralreports
shortNames:
- ephr
singular: ephemeralreport
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: AGE
type: date
- jsonPath: .spec.summary.pass
name: PASS
type: integer
- jsonPath: .spec.summary.fail
name: FAIL
type: integer
- jsonPath: .spec.summary.warn
name: WARN
type: integer
- jsonPath: .spec.summary.error
name: ERROR
type: integer
- jsonPath: .spec.summary.skip
name: SKIP
type: integer
- jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.gvr']
name: GVR
type: string
- jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.name']
name: REF
type: string
- jsonPath: .metadata.labels['audit\.kyverno\.io/report\.aggregate']
name: AGGREGATE
priority: 1
type: string
name: v1
schema:
openAPIV3Schema:
description: EphemeralReport is the Schema for the EphemeralReports API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
properties:
owner:
description: Owner is a reference to the report owner (e.g. a Deployment,
Namespace, or Node)
properties:
apiVersion:
description: API version of the referent.
type: string
blockOwnerDeletion:
description: If true, AND if the owner has the "foregroundDeletion"
finalizer, then the owner cannot be deleted from the key-value
store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion
for how the garbage collector interacts with this field and
enforces the foreground deletion. Defaults to false. To set
this field, a user needs "delete" permission of the owner, otherwise
422 (Unprocessable Entity) will be returned.
type: boolean
controller:
description: If true, this reference points to the managing controller.
type: boolean
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names'
type: string
uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids'
type: string
required:
- apiVersion
- kind
- name
- uid
type: object
x-kubernetes-map-type: atomic
results:
description: PolicyReportResult provides result details
items:
description: PolicyReportResult provides the result for an individual
policy
properties:
category:
description: Category indicates policy category
type: string
message:
description: Description is a short user friendly message for
the policy rule
type: string
policy:
description: Policy is the name or identifier of the policy
type: string
properties:
additionalProperties:
type: string
description: Properties provides additional information for
the policy rule
type: object
resourceSelector:
description: SubjectSelector is an optional label selector for
checked Kubernetes resources. For example, a policy result
may apply to all pods that match a label. Either a Subject
or a SubjectSelector can be specified. If neither are provided,
the result is assumed to be for the policy report scope.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector
that contains values, a key, and an operator that relates
the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are In, NotIn,
Exists and DoesNotExist.
type: string
values:
description: values is an array of string values.
If the operator is In or NotIn, the values array
must be non-empty. If the operator is Exists or
DoesNotExist, the values array must be empty. This
array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs.
A single {key,value} in the matchLabels map is equivalent
to an element of matchExpressions, whose key field is
"key", the operator is "In", and the values array contains
only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
resources:
description: Subjects is an optional reference to the checked
Kubernetes resources
items:
description: "ObjectReference contains enough information
to let you inspect or modify the referred object. --- New
uses of this type are discouraged because of difficulty
describing its usage when embedded in APIs. 1. Ignored fields.
\ It includes many fields which are not generally honored.
\ For instance, ResourceVersion and FieldPath are both very
rarely valid in actual usage. 2. Invalid usage help. It
is impossible to add specific help for individual usage.
\ In most embedded usages, there are particular restrictions
like, \"must refer only to types A and B\" or \"UID not
honored\" or \"name must be restricted\". Those cannot be
well described when embedded. 3. Inconsistent validation.
\ Because the usages are different, the validation rules
are different by usage, which makes it hard for users to
predict what will happen. 4. The fields are both imprecise
and overly precise. Kind is not a precise mapping to a
URL. This can produce ambiguity during interpretation and
require a REST mapping. In most cases, the dependency is
on the group,resource tuple and the version of the actual
struct is irrelevant. 5. We cannot easily change it. Because
this type is embedded in many locations, updates to this
type will affect numerous schemas. Don't make new APIs
embed an underspecified API type they do not control. \n
Instead of using this type, create a locally provided and
used type that is well-focused on your reference. For example,
ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
."
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
description: 'If referring to a piece of an object instead
of an entire object, this string should contain a valid
JSON/Go field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container
within a pod, this would take on a value like: "spec.containers{name}"
(where "name" refers to the name of the container that
triggered the event) or if no container name is specified
"spec.containers[2]" (container with index 2 in this
pod). This syntax is chosen only to have some well-defined
way of referencing a part of an object. TODO: this design
is not final and this field is subject to change in
the future.'
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
resourceVersion:
description: 'Specific resourceVersion to which this reference
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string
uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
x-kubernetes-map-type: atomic
type: array
result:
description: Result indicates the outcome of the policy rule
execution
enum:
- pass
- fail
- warn
- error
- skip
type: string
rule:
description: Rule is the name or identifier of the rule within
the policy
type: string
scored:
description: Scored indicates if this result is scored
type: boolean
severity:
description: Severity indicates policy check result criticality
enum:
- critical
- high
- low
- medium
- info
type: string
source:
description: Source is an identifier for the policy engine that
manages this report
type: string
timestamp:
description: Timestamp indicates the time the result was found
properties:
nanos:
description: Non-negative fractions of a second at nanosecond
resolution. Negative second values with fractions must
still have non-negative nanos values that count forward
in time. Must be from 0 to 999,999,999 inclusive. This
field may be limited in precision depending on context.
format: int32
type: integer
seconds:
description: Represents seconds of UTC time since Unix epoch
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z
to 9999-12-31T23:59:59Z inclusive.
format: int64
type: integer
required:
- nanos
- seconds
type: object
required:
- policy
type: object
type: array
summary:
description: PolicyReportSummary provides a summary of results
properties:
error:
description: Error provides the count of policies that could not
be evaluated
type: integer
fail:
description: Fail provides the count of policies whose requirements
were not met
type: integer
pass:
description: Pass provides the count of policies whose requirements
were met
type: integer
skip:
description: Skip indicates the count of policies that were not
selected for evaluation
type: integer
warn:
description: Warn provides the count of non-scored policies whose
requirements were not met
type: integer
type: object
required:
- owner
type: object
required:
- spec
type: object
served: true
storage: true
subresources: {}
{{- end }}

16
charts/kyverno/charts/crds/values.yaml
View file

@ -4,7 +4,21 @@ templating:
enabled: false
debug: false
version: ~
groups:
# -- Install CRDs in group `kyverno.io`
# -- This field can be overwritten by setting crds.labels in the parent chart
kyverno: true
# -- Install CRDs in group `wgpolicyk8s.io`
# -- This field can be overwritten by setting crds.labels in the parent chart
policyreport: true
# -- Install CRDs in group `reports.kyverno.io`
# -- This field can be overwritten by setting crds.labels in the parent chart
reports: true
# -- Additional CRDs annotations
# -- This field can be overwritten by setting crds.annotations in the parent chart
annotations: {}

6
charts/kyverno/templates/admission-controller/clusterrole.yaml
View file

@ -71,10 +71,8 @@ rules:
- apiGroups:
- reports.kyverno.io
resources:
- admissionreports
- clusteradmissionreports
- backgroundscanreports
- clusterbackgroundscanreports
- ephemeralreports
- clusterephemeralreports
verbs:
- create
- delete

6
charts/kyverno/templates/admission-controller/flowschema.yaml
View file

@ -85,8 +85,7 @@ spec:
- reports.kyverno.io
clusterScope: true
resources:
- clusteradmissionreports
- clusterbackgroundscanreports
- clusterephemeralreports
verbs:
- create
- delete
@ -101,8 +100,7 @@ spec:
namespaces:
- '*'
resources:
- admissionreports
- backgroundscanreports
- ephemeralreports
verbs:
- create
- delete

4
charts/kyverno/templates/cleanup/clusterrole.yaml
View file

@ -17,8 +17,8 @@ rules:
- apiGroups:
- reports.kyverno.io
resources:
- admissionreports
- clusteradmissionreports
- ephemeralreports
- clusterephemeralreports
verbs:
- list
- deletecollection

12
charts/kyverno/templates/rbac/reports.yaml
View file

@ -24,10 +24,8 @@ rules:
- apiGroups:
- reports.kyverno.io
resources:
- admissionreports
- clusteradmissionreports
- backgroundscanreports
- clusterbackgroundscanreports
- ephemeralreports
- clusterephemeralreports
verbs:
- create
- delete
@ -58,10 +56,8 @@ rules:
- apiGroups:
- reports.kyverno.io
resources:
- admissionreports
- clusteradmissionreports
- backgroundscanreports
- clusterbackgroundscanreports
- ephemeralreports
- clusterephemeralreports
verbs:
- get
- list

6
charts/kyverno/templates/reports-controller/clusterrole.yaml
View file

@ -58,10 +58,8 @@ rules:
- apiGroups:
- reports.kyverno.io
resources:
- admissionreports
- clusteradmissionreports
- backgroundscanreports
- clusterbackgroundscanreports
- ephemeralreports
- clusterephemeralreports
verbs:
- create
- delete

6
charts/kyverno/templates/reports-controller/flowschema.yaml
View file

@ -55,8 +55,7 @@ spec:
- reports.kyverno.io
clusterScope: true
resources:
- clusteradmissionreports
- clusterbackgroundscanreports
- clusterephemeralreports
verbs:
- create
- delete
@ -71,8 +70,7 @@ spec:
namespaces:
- '*'
resources:
- admissionreports
- backgroundscanreports
- ephemeralreports
verbs:
- create
- delete

11
charts/kyverno/values.yaml
View file

@ -61,6 +61,17 @@ crds:
# -- Whether to have Helm install the Kyverno CRDs, if the CRDs are not installed by Helm, they must be added before policies can be created
install: true
groups:
# -- Install CRDs in group `kyverno.io`
kyverno: true
# -- Install CRDs in group `wgpolicyk8s.io`
policyreport: true
# -- Install CRDs in group `reports.kyverno.io`
reports: true
# -- Additional CRDs annotations
annotations: {}
# argocd.argoproj.io/sync-options: Replace=true

0
config/crds/kyverno.io_admissionreports.yaml → config/crds/kyverno/kyverno.io_admissionreports.yaml
View file

0
config/crds/kyverno.io_backgroundscanreports.yaml → config/crds/kyverno/kyverno.io_backgroundscanreports.yaml
View file

0
config/crds/kyverno.io_cleanuppolicies.yaml → config/crds/kyverno/kyverno.io_cleanuppolicies.yaml
View file

0
config/crds/kyverno.io_clusteradmissionreports.yaml → config/crds/kyverno/kyverno.io_clusteradmissionreports.yaml
View file

0
config/crds/kyverno.io_clusterbackgroundscanreports.yaml → config/crds/kyverno/kyverno.io_clusterbackgroundscanreports.yaml
View file

0
config/crds/kyverno.io_clustercleanuppolicies.yaml → config/crds/kyverno/kyverno.io_clustercleanuppolicies.yaml
View file

0
config/crds/kyverno.io_clusterpolicies.yaml → config/crds/kyverno/kyverno.io_clusterpolicies.yaml
View file

0
config/crds/kyverno.io_policies.yaml → config/crds/kyverno/kyverno.io_policies.yaml
View file

0
config/crds/kyverno.io_policyexceptions.yaml → config/crds/kyverno/kyverno.io_policyexceptions.yaml
View file

0
config/crds/kyverno.io_updaterequests.yaml → config/crds/kyverno/kyverno.io_updaterequests.yaml
View file

0
config/crds/wgpolicyk8s.io_clusterpolicyreports.yaml → config/crds/policyreport/wgpolicyk8s.io_clusterpolicyreports.yaml
View file

0
config/crds/wgpolicyk8s.io_policyreports.yaml → config/crds/policyreport/wgpolicyk8s.io_policyreports.yaml
View file

297
config/crds/reports.kyverno.io_backgroundscanreports.yaml
View file

@ -1,297 +0,0 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.12.0
name: backgroundscanreports.reports.kyverno.io
spec:
group: reports.kyverno.io
names:
categories:
- kyverno
kind: BackgroundScanReport
listKind: BackgroundScanReportList
plural: backgroundscanreports
shortNames:
- bgscanr
singular: backgroundscanreport
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.ownerReferences[0].apiVersion
name: ApiVersion
type: string
- jsonPath: .metadata.ownerReferences[0].kind
name: Kind
type: string
- jsonPath: .metadata.ownerReferences[0].name
name: Subject
type: string
- jsonPath: .spec.summary.pass
name: Pass
type: integer
- jsonPath: .spec.summary.fail
name: Fail
type: integer
- jsonPath: .spec.summary.warn
name: Warn
type: integer
- jsonPath: .spec.summary.error
name: Error
type: integer
- jsonPath: .spec.summary.skip
name: Skip
type: integer
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
- jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.hash']
name: Hash
priority: 1
type: string
name: v1
schema:
openAPIV3Schema:
description: BackgroundScanReport is the Schema for the BackgroundScanReports
API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
properties:
results:
description: PolicyReportResult provides result details
items:
description: PolicyReportResult provides the result for an individual
policy
properties:
category:
description: Category indicates policy category
type: string
message:
description: Description is a short user friendly message for
the policy rule
type: string
policy:
description: Policy is the name or identifier of the policy
type: string
properties:
additionalProperties:
type: string
description: Properties provides additional information for
the policy rule
type: object
resourceSelector:
description: SubjectSelector is an optional label selector for
checked Kubernetes resources. For example, a policy result
may apply to all pods that match a label. Either a Subject
or a SubjectSelector can be specified. If neither are provided,
the result is assumed to be for the policy report scope.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector
that contains values, a key, and an operator that relates
the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are In, NotIn,
Exists and DoesNotExist.
type: string
values:
description: values is an array of string values.
If the operator is In or NotIn, the values array
must be non-empty. If the operator is Exists or
DoesNotExist, the values array must be empty. This
array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs.
A single {key,value} in the matchLabels map is equivalent
to an element of matchExpressions, whose key field is
"key", the operator is "In", and the values array contains
only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
resources:
description: Subjects is an optional reference to the checked
Kubernetes resources
items:
description: "ObjectReference contains enough information
to let you inspect or modify the referred object. --- New
uses of this type are discouraged because of difficulty
describing its usage when embedded in APIs. 1. Ignored fields.
\ It includes many fields which are not generally honored.
\ For instance, ResourceVersion and FieldPath are both very
rarely valid in actual usage. 2. Invalid usage help. It
is impossible to add specific help for individual usage.
\ In most embedded usages, there are particular restrictions
like, \"must refer only to types A and B\" or \"UID not
honored\" or \"name must be restricted\". Those cannot be
well described when embedded. 3. Inconsistent validation.
\ Because the usages are different, the validation rules
are different by usage, which makes it hard for users to
predict what will happen. 4. The fields are both imprecise
and overly precise. Kind is not a precise mapping to a
URL. This can produce ambiguity during interpretation and
require a REST mapping. In most cases, the dependency is
on the group,resource tuple and the version of the actual
struct is irrelevant. 5. We cannot easily change it. Because
this type is embedded in many locations, updates to this
type will affect numerous schemas. Don't make new APIs
embed an underspecified API type they do not control. \n
Instead of using this type, create a locally provided and
used type that is well-focused on your reference. For example,
ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
."
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
description: 'If referring to a piece of an object instead
of an entire object, this string should contain a valid
JSON/Go field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container
within a pod, this would take on a value like: "spec.containers{name}"
(where "name" refers to the name of the container that
triggered the event) or if no container name is specified
"spec.containers[2]" (container with index 2 in this
pod). This syntax is chosen only to have some well-defined
way of referencing a part of an object. TODO: this design
is not final and this field is subject to change in
the future.'
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
resourceVersion:
description: 'Specific resourceVersion to which this reference
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string
uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
x-kubernetes-map-type: atomic
type: array
result:
description: Result indicates the outcome of the policy rule
execution
enum:
- pass
- fail
- warn
- error
- skip
type: string
rule:
description: Rule is the name or identifier of the rule within
the policy
type: string
scored:
description: Scored indicates if this result is scored
type: boolean
severity:
description: Severity indicates policy check result criticality
enum:
- critical
- high
- low
- medium
- info
type: string
source:
description: Source is an identifier for the policy engine that
manages this report
type: string
timestamp:
description: Timestamp indicates the time the result was found
properties:
nanos:
description: Non-negative fractions of a second at nanosecond
resolution. Negative second values with fractions must
still have non-negative nanos values that count forward
in time. Must be from 0 to 999,999,999 inclusive. This
field may be limited in precision depending on context.
format: int32
type: integer
seconds:
description: Represents seconds of UTC time since Unix epoch
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z
to 9999-12-31T23:59:59Z inclusive.
format: int64
type: integer
required:
- nanos
- seconds
type: object
required:
- policy
type: object
type: array
summary:
description: PolicyReportSummary provides a summary of results
properties:
error:
description: Error provides the count of policies that could not
be evaluated
type: integer
fail:
description: Fail provides the count of policies whose requirements
were not met
type: integer
pass:
description: Pass provides the count of policies whose requirements
were met
type: integer
skip:
description: Skip indicates the count of policies that were not
selected for evaluation
type: integer
warn:
description: Warn provides the count of non-scored policies whose
requirements were not met
type: integer
type: object
type: object
required:
- spec
type: object
served: true
storage: true
subresources: {}

297
config/crds/reports.kyverno.io_clusterbackgroundscanreports.yaml
View file

@ -1,297 +0,0 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.12.0
name: clusterbackgroundscanreports.reports.kyverno.io
spec:
group: reports.kyverno.io
names:
categories:
- kyverno
kind: ClusterBackgroundScanReport
listKind: ClusterBackgroundScanReportList
plural: clusterbackgroundscanreports
shortNames:
- cbgscanr
singular: clusterbackgroundscanreport
scope: Cluster
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.ownerReferences[0].apiVersion
name: ApiVersion
type: string
- jsonPath: .metadata.ownerReferences[0].kind
name: Kind
type: string
- jsonPath: .metadata.ownerReferences[0].name
name: Subject
type: string
- jsonPath: .spec.summary.pass
name: Pass
type: integer
- jsonPath: .spec.summary.fail
name: Fail
type: integer
- jsonPath: .spec.summary.warn
name: Warn
type: integer
- jsonPath: .spec.summary.error
name: Error
type: integer
- jsonPath: .spec.summary.skip
name: Skip
type: integer
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
- jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.hash']
name: Hash
priority: 1
type: string
name: v1
schema:
openAPIV3Schema:
description: ClusterBackgroundScanReport is the Schema for the ClusterBackgroundScanReports
API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
properties:
results:
description: PolicyReportResult provides result details
items:
description: PolicyReportResult provides the result for an individual
policy
properties:
category:
description: Category indicates policy category
type: string
message:
description: Description is a short user friendly message for
the policy rule
type: string
policy:
description: Policy is the name or identifier of the policy
type: string
properties:
additionalProperties:
type: string
description: Properties provides additional information for
the policy rule
type: object
resourceSelector:
description: SubjectSelector is an optional label selector for
checked Kubernetes resources. For example, a policy result
may apply to all pods that match a label. Either a Subject
or a SubjectSelector can be specified. If neither are provided,
the result is assumed to be for the policy report scope.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector
that contains values, a key, and an operator that relates
the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are In, NotIn,
Exists and DoesNotExist.
type: string
values:
description: values is an array of string values.
If the operator is In or NotIn, the values array
must be non-empty. If the operator is Exists or
DoesNotExist, the values array must be empty. This
array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs.
A single {key,value} in the matchLabels map is equivalent
to an element of matchExpressions, whose key field is
"key", the operator is "In", and the values array contains
only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
resources:
description: Subjects is an optional reference to the checked
Kubernetes resources
items:
description: "ObjectReference contains enough information
to let you inspect or modify the referred object. --- New
uses of this type are discouraged because of difficulty
describing its usage when embedded in APIs. 1. Ignored fields.
\ It includes many fields which are not generally honored.
\ For instance, ResourceVersion and FieldPath are both very
rarely valid in actual usage. 2. Invalid usage help. It
is impossible to add specific help for individual usage.
\ In most embedded usages, there are particular restrictions
like, \"must refer only to types A and B\" or \"UID not
honored\" or \"name must be restricted\". Those cannot be
well described when embedded. 3. Inconsistent validation.
\ Because the usages are different, the validation rules
are different by usage, which makes it hard for users to
predict what will happen. 4. The fields are both imprecise
and overly precise. Kind is not a precise mapping to a
URL. This can produce ambiguity during interpretation and
require a REST mapping. In most cases, the dependency is
on the group,resource tuple and the version of the actual
struct is irrelevant. 5. We cannot easily change it. Because
this type is embedded in many locations, updates to this
type will affect numerous schemas. Don't make new APIs
embed an underspecified API type they do not control. \n
Instead of using this type, create a locally provided and
used type that is well-focused on your reference. For example,
ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
."
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
description: 'If referring to a piece of an object instead
of an entire object, this string should contain a valid
JSON/Go field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container
within a pod, this would take on a value like: "spec.containers{name}"
(where "name" refers to the name of the container that
triggered the event) or if no container name is specified
"spec.containers[2]" (container with index 2 in this
pod). This syntax is chosen only to have some well-defined
way of referencing a part of an object. TODO: this design
is not final and this field is subject to change in
the future.'
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
resourceVersion:
description: 'Specific resourceVersion to which this reference
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string
uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
x-kubernetes-map-type: atomic
type: array
result:
description: Result indicates the outcome of the policy rule
execution
enum:
- pass
- fail
- warn
- error
- skip
type: string
rule:
description: Rule is the name or identifier of the rule within
the policy
type: string
scored:
description: Scored indicates if this result is scored
type: boolean
severity:
description: Severity indicates policy check result criticality
enum:
- critical
- high
- low
- medium
- info
type: string
source:
description: Source is an identifier for the policy engine that
manages this report
type: string
timestamp:
description: Timestamp indicates the time the result was found
properties:
nanos:
description: Non-negative fractions of a second at nanosecond
resolution. Negative second values with fractions must
still have non-negative nanos values that count forward
in time. Must be from 0 to 999,999,999 inclusive. This
field may be limited in precision depending on context.
format: int32
type: integer
seconds:
description: Represents seconds of UTC time since Unix epoch
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z
to 9999-12-31T23:59:59Z inclusive.
format: int64
type: integer
required:
- nanos
- seconds
type: object
required:
- policy
type: object
type: array
summary:
description: PolicyReportSummary provides a summary of results
properties:
error:
description: Error provides the count of policies that could not
be evaluated
type: integer
fail:
description: Fail provides the count of policies whose requirements
were not met
type: integer
pass:
description: Pass provides the count of policies whose requirements
were met
type: integer
skip:
description: Skip indicates the count of policies that were not
selected for evaluation
type: integer
warn:
description: Warn provides the count of non-scored policies whose
requirements were not met
type: integer
type: object
type: object
required:
- spec
type: object
served: true
storage: true
subresources: {}

14
config/crds/reports.kyverno.io_clusteradmissionreports.yaml → config/crds/reports/reports.kyverno.io_clusterephemeralreports.yaml
View file

@ -4,18 +4,18 @@ kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.12.0
name: clusteradmissionreports.reports.kyverno.io
name: clusterephemeralreports.reports.kyverno.io
spec:
group: reports.kyverno.io
names:
categories:
- kyverno
kind: ClusterAdmissionReport
listKind: ClusterAdmissionReportList
plural: clusteradmissionreports
kind: ClusterEphemeralReport
listKind: ClusterEphemeralReportList
plural: clusterephemeralreports
shortNames:
- cadmr
singular: clusteradmissionreport
- cephr
singular: clusterephemeralreport
scope: Cluster
versions:
- additionalPrinterColumns:
@ -50,7 +50,7 @@ spec:
name: v1
schema:
openAPIV3Schema:
description: ClusterAdmissionReport is the Schema for the ClusterAdmissionReports
description: ClusterEphemeralReport is the Schema for the ClusterEphemeralReports
API
properties:
apiVersion:

14
config/crds/reports.kyverno.io_admissionreports.yaml → config/crds/reports/reports.kyverno.io_ephemeralreports.yaml
View file

@ -4,18 +4,18 @@ kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.12.0
name: admissionreports.reports.kyverno.io
name: ephemeralreports.reports.kyverno.io
spec:
group: reports.kyverno.io
names:
categories:
- kyverno
kind: AdmissionReport
listKind: AdmissionReportList
plural: admissionreports
kind: EphemeralReport
listKind: EphemeralReportList
plural: ephemeralreports
shortNames:
- admr
singular: admissionreport
- ephr
singular: ephemeralreport
scope: Namespaced
versions:
- additionalPrinterColumns:
@ -50,7 +50,7 @@ spec:
name: v1
schema:
openAPIV3Schema:
description: AdmissionReport is the Schema for the AdmissionReports API
description: EphemeralReport is the Schema for the EphemeralReports API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation

1986
config/install-latest-testing.yaml
View file

File diff suppressed because it is too large Load diff

6
pkg/utils/kube/crd.go
View file

@ -13,14 +13,10 @@ import (
func CRDsInstalled(apiserverClient apiserver.Interface) error {
kyvernoCRDs := []string{
"admissionreports.kyverno.io",
"admissionreports.reports.kyverno.io",
"backgroundscanreports.kyverno.io",
"backgroundscanreports.reports.kyverno.io",
"cleanuppolicies.kyverno.io",
"clusteradmissionreports.kyverno.io",
"clusteradmissionreports.reports.kyverno.io",
"clusterbackgroundscanreports.kyverno.io",
"clusterbackgroundscanreports.reports.kyverno.io",
"clustercleanuppolicies.kyverno.io",
"clusterpolicies.kyverno.io",
"clusterpolicyreports.wgpolicyk8s.io",
@ -28,6 +24,8 @@ func CRDsInstalled(apiserverClient apiserver.Interface) error {
"policyexceptions.kyverno.io",
"policyreports.wgpolicyk8s.io",
"updaterequests.kyverno.io",
"ephemeralreports.reports.kyverno.io",
"clusterephemeralreports.reports.kyverno.io",
}
var errs []error
for _, crd := range kyvernoCRDs {

6
test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-trigger-not-present/rbac.yaml
View file

@ -382,10 +382,8 @@ rules:
- apiGroups:
- reports.kyverno.io
resources:
- admissionreports
- clusteradmissionreports
- backgroundscanreports
- clusterbackgroundscanreports
- ephemeralreports
- clusterephemeralreports
verbs:
- create
- delete

6
test/conformance/chainsaw/rbac/aggregate-to-admin/admin-reports.yaml
View file

@ -23,10 +23,8 @@ rules:
- apiGroups:
- reports.kyverno.io
resources:
- admissionreports
- clusteradmissionreports
- backgroundscanreports
- clusterbackgroundscanreports
- ephemeralreports
- clusterephemeralreports
verbs:
- create
- delete