+(Appears on: +ContextEntry) +
++
APICall defines an HTTP request to the Kubernetes API server. The JSON +data retrieved is stored in the context. An APICall contains a URLPath +used to perform the HTTP GET request and an optional JMESPath used to +transform the retrieved JSON data.
+ +| Field | +Description | +
|---|---|
+urlPath
+
+string
+
+ |
+
+ URLPath is the URL path to be used in the HTTP GET request to the
+Kubernetes API server (e.g. “/api/v1/namespaces” or “/apis/apps/v1/deployments”).
+The format required is the same format used by the |
+
+jmesPath
+
+string
+
+ |
+
+(Optional)
+ JMESPath is an optional JSON Match Expression that can be used to +transform the JSON response returned from the API server. For example +a JMESPath of “items | length(@)” applied to the API server response +to the URLPath “/apis/apps/v1/deployments” will return the total count +of deployments across all namespaces. + |
+
+(Appears on: +GenerateRequestContext) +
++
AdmissionRequestInfoObject stores the admission request and operation details
+ +| Field | +Description | +
|---|---|
+admissionRequest
+
+string
+
+ |
++(Optional) + | +
+operation
+
+
+Kubernetes admission/v1beta1.Operation
+
+
+ |
++(Optional) + | +
+(Appears on: +Attestation, +ForEachMutation, +ForEachValidation) +
++
AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. +AnyConditions get fulfilled when at least one of its sub-conditions passes. +AllConditions get fulfilled only when all of its sub-conditions pass.
+ +| Field | +Description | +
|---|---|
+any
+
+
+[]Condition
+
+
+ |
+
+(Optional)
+ AnyConditions enable variable-based conditional rule execution. This is useful for +finer control of when an rule is applied. A condition can reference object data +using JMESPath notation. +Here, at least one of the conditions need to pass + |
+
+all
+
+
+[]Condition
+
+
+ |
+
+(Optional)
+ AllConditions enable variable-based conditional rule execution. This is useful for +finer control of when an rule is applied. A condition can reference object data +using JMESPath notation. +Here, all of the conditions need to pass + |
+
+(Appears on: +ImageVerification) +
++
Attestation are checks for signed in-toto Statements that are used to verify the image. +See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the +OCI registry and decodes them into a list of Statements.
+ +| Field | +Description | +
|---|---|
+predicateType
+
+string
+
+ |
+
+ PredicateType defines the type of Predicate contained within the Statement. + |
+
+conditions
+
+
+[]AnyAllConditions
+
+
+ |
+
+(Optional)
+ Conditions are used to verify attributes within a Predicate. If no Conditions are specified +the attestation check is satisfied as long there are predicates that match the predicate type. + |
+
@@ -127,6 +341,22 @@ each rule can validate, mutate, or generate resources.
failurePolicy
+
+
+FailurePolicyType
+
+
+FailurePolicy defines how unrecognized errors from the admission endpoint are handled. +Rules within the same policy share the same failure behavior. +Allowed values are Ignore or Fail. Defaults to Fail.
+validationFailureAction
string
@@ -153,6 +383,32 @@ Optional. Default value is “true”. The value must be set to “f
uses variables that are only available in the admission review request (e.g. user name).
schemaValidation
+
+bool
+
+SchemaValidation skips policy validation checks. +Optional. The default value is set to “true”, it must be set to “false” to disable the validation checks.
+webhookTimeoutSeconds
+
+int32
+
+WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. +After the configured time expires, the admission request may fail, or may simply ignore the policy results, +based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
+(Appears on: -Deny, -Rule) +AnyAllConditions)
Condition defines variable-based conditional criteria for rule execution.
@@ -212,7 +467,8 @@ ConditionOperatorOperator is the operation to perform.
+Operator is the operation to perform. Valid operators +are Equals, NotEquals, In, AnyIn, AllIn and NotIn, AnyNotIn, AllNotIn.
Name is the ConfigMap name.
Namespace is the ConfigMap namespace.
(Appears on: +ForEachMutation, +ForEachValidation, Rule)
-
ContextEntry adds variables and data sources to a rule Context
+ContextEntry adds variables and data sources to a rule Context. Either a +ConfigMap reference or a APILookup must be provided.
|
+ Name is the variable name. |
|
|
+ ConfigMap is the ConfigMap reference. + |
+|
+apiCall
+
+
+APICall
+
+
+ |
+
+ APICall defines an HTTP request to the Kubernetes API server. The JSON +data retrieved is stored in the context. |
conditions
-
-[]Condition
-
+k8s.io/apiextensions-apiserver/pkg/apis/apiextensions.JSON
|
- Specifies set of condition to deny. +Multiple conditions can be declared under an |
@@ -376,6 +654,34 @@ which a policy rule is not applicable.
+any
+
+
+ResourceFilters
+
+
+ |
+
+(Optional)
+ Any allows specifying resources which will be ORed + |
+
+all
+
+
+ResourceFilters
+
+
+ |
+
+(Optional)
+ All allows specifying resources which will be ANDed + |
+
UserInfo
@@ -385,7 +691,9 @@ UserInfo
|
(Optional)
- UserInfo contains information about the user performing the operation. +UserInfo contains information about the user performing the operation. +Specifying UserInfo directly under exclude is being deprecated. +Please specify under “any” or “all” instead. |
|
(Optional)
- ResourceDescription contains information about the resource being created or modified. +ResourceDescription contains information about the resource being created or modified. +Specifying ResourceDescription directly under exclude is being deprecated. +Please specify under “any” or “all” instead. + |
+
string alias)+(Appears on: +Spec) +
++
FailurePolicyType specifies a failure policy that defines how unrecognized errors from the admission endpoint are handled.
+ ++(Appears on: +Mutation) +
++
ForEachMutation applies policy rule changes to nested elements.
+ +| Field | +Description | +
|---|---|
+list
+
+string
+
+ |
+
+ List specifies a JMESPath expression that results in one or more elements +to which the validation logic is applied. + |
+
+context
+
+
+[]ContextEntry
+
+
+ |
+
+(Optional)
+ Context defines variables and data sources that can be used during rule execution. + |
+
+preconditions
+
+
+AnyAllConditions
+
+
+ |
+
+(Optional)
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+set of conditions. The declaration can contain nested |
+
+patchStrategicMerge
+
+k8s.io/apiextensions-apiserver/pkg/apis/apiextensions.JSON
+
+ |
+
+(Optional)
+ PatchStrategicMerge is a strategic merge patch used to modify resources. +See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ +and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + |
+
+(Appears on: +Validation) +
++
ForEachValidation applies policy rule checks to nested elements.
+ +| Field | +Description | +
|---|---|
+list
+
+string
+
+ |
+
+ List specifies a JMESPath expression that results in one or more elements +to which the validation logic is applied. + |
+
+context
+
+
+[]ContextEntry
+
+
+ |
+
+(Optional)
+ Context defines variables and data sources that can be used during rule execution. + |
+
+preconditions
+
+
+AnyAllConditions
+
+
+ |
+
+(Optional)
+ AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+set of conditions. The declaration can contain nested |
+
+pattern
+
+k8s.io/apiextensions-apiserver/pkg/apis/apiextensions.JSON
+
+ |
+
+(Optional)
+ Pattern specifies an overlay-style pattern used to check resources. + |
+
+anyPattern
+
+k8s.io/apiextensions-apiserver/pkg/apis/apiextensions.JSON
+
+ |
+
+(Optional)
+ AnyPattern specifies list of validation patterns. At least one of the patterns +must be satisfied for the validation rule to succeed. + |
+
+deny
+
+
+Deny
+
+
+ |
+
+(Optional)
+ Deny defines conditions used to pass or fail a validation rule. |
+admissionRequestInfo
+
+
+AdmissionRequestInfoObject
+
+
+ |
++(Optional) + | +
+(Appears on: +Rule) +
++
ImageVerification validates that images that match the specified pattern +are signed with the supplied public key. Once the image is verified it is +mutated to include the SHA digest retrieved during the registration.
+ +| Field | +Description | +
|---|---|
+image
+
+string
+
+ |
+
+ Image is the image name consisting of the registry address, repository, image, and tag. +Wildcards (‘*’ and ‘?’) are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + |
+
+key
+
+string
+
+ |
+
+ Key is the PEM encoded public key that the image or attestation is signed with. + |
+
+roots
+
+string
+
+ |
+
+ Roots is the PEM encoded Root certificate chain used for keyless signing + |
+
+subject
+
+string
+
+ |
+
+ Subject is the verified identity used for keyless signing, for example the email address + |
+
+repository
+
+string
+
+ |
+
+ Repository is an optional alternate OCI repository to use for image signatures that match this rule. +If specified Repository will override the default OCI image repository configured for the installation. + |
+
+attestations
+
+
+[]Attestation
+
+
+ |
+
+ Attestations are optional checks for signed in-toto Statements used to verify the image. +See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the +OCI registry and decodes them into a list of Statement declarations. + |
+
@@ -759,6 +1362,34 @@ which a policy rule is applicable.
any
+
+
+ResourceFilters
+
+
+Any allows specifying resources which will be ORed
+all
+
+
+ResourceFilters
+
+
+All allows specifying resources which will be ANDed
+UserInfo
@@ -768,7 +1399,9 @@ UserInfo
UserInfo contains information about the user performing the operation.
+UserInfo contains information about the user performing the operation. +Specifying UserInfo directly under match is being deprecated. +Please specify under “any” or “all” instead.
ResourceDescription contains information about the resource being created or modified.
+(Optional) +ResourceDescription contains information about the resource being created or modified. +Requires at least one tag to be specified when under MatchResources. +Specifying ResourceDescription directly under match is being deprecated. +Please specify under “any” or “all” instead.
foreach
+
+
+[]ForEachMutation
+
+
+ForEachMutation applies policy rule changes to nested elements.
+Spec defines policy behaviors and contains one or rules.
+Spec defines policy behaviors and contains one or more rules.
+failurePolicy
+
+
+FailurePolicyType
+
+
+ |
+
+(Optional)
+ FailurePolicy defines how unrecognized errors from the admission endpoint are handled. +Rules within the same policy share the same failure behavior. +Allowed values are Ignore or Fail. Defaults to Fail. + |
+
validationFailureAction
string
@@ -1004,6 +1671,32 @@ Optional. Default value is “true”. The value must be set to “f
uses variables that are only available in the admission review request (e.g. user name).
|
|
+schemaValidation
+
+bool
+
+ |
+
+(Optional)
+ SchemaValidation skips policy validation checks. +Optional. The default value is set to “true”, it must be set to “false” to disable the validation checks. + |
+
+webhookTimeoutSeconds
+
+int32
+
+ |
+
+ WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. +After the configured time expires, the admission request may fail, or may simply ignore the policy results, +based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. + |
+
Status contains policy runtime information.
+Status contains policy runtime information. +Deprecated. Policy metrics are available via the metrics endpoint
-
PolicyStatus mostly contains runtime information related to policy execution.
+PolicyStatus mostly contains runtime information related to policy execution. +Deprecated. Policy metrics are now available via the “/metrics” endpoint. +See: https://kyverno.io/docs/monitoring-kyverno-with-prometheus-metrics/
-averageExecutionTime
+ready
-string
+bool
|
-(Optional)
- AvgExecutionTime is the average time taken to process the policy rules on a resource. - |
-
-violationCount
-
-int
-
- |
-
-(Optional)
- ViolationCount is the total count of policy failure results for this policy. - |
-
-rulesFailedCount
-
-int
-
- |
-
-(Optional)
- RulesFailedCount is the total count of policy execution errors for this policy. - |
-
-rulesAppliedCount
-
-int
-
- |
-
-(Optional)
- RulesAppliedCount is the total number of times this policy was applied. - |
-
-resourcesBlockedCount
-
-int
-
- |
-
-(Optional)
- ResourcesBlockedCount is the total count of admission review requests that were blocked by this policy. - |
-
-resourcesMutatedCount
-
-int
-
- |
-
-(Optional)
- ResourcesMutatedCount is the total count of resources that were mutated by this policy. - |
-
-resourcesGeneratedCount
-
-int
-
- |
-
-(Optional)
- ResourcesGeneratedCount is the total count of resources that were generated by this policy. - |
-
-ruleStatus
-
-
-[]RuleStats
-
-
- |
-
-(Optional)
- Rules provides per rule statistics +Ready indicates if the policy is ready to serve the admission request |
+names
+
+[]string
+
+ |
+
+(Optional)
+ Names are the names of the resources. Each name supports wildcard characters +“*” (matches zero or many characters) and “?” (at least one character). +NOTE: “Name” is being deprecated in favor of “Names”. + |
+
namespaces
[]string
@@ -1288,9 +1912,80 @@ Wildcards allows writing label selectors like [“storage.k8s.io/”
using [”” : “”] matches any key and value but does not match an empty label set.
|
|
+namespaceSelector
+
+
+Kubernetes meta/v1.LabelSelector
+
+
+ |
+
+(Optional)
+ NamespaceSelector is a label selector for the resource namespace. Label keys and values
+in |
+
+
ResourceFilter allow users to “AND” or “OR” between resources
+ +| Field | +Description | +
|---|---|
+UserInfo
+
+
+UserInfo
+
+
+ |
+
+(Optional)
+ UserInfo contains information about the user performing the operation. + |
+
+resources
+
+
+ResourceDescription
+
+
+ |
+
+ ResourceDescription contains information about the resource being created or modified. + |
+
[]github.com/kyverno/kyverno/api/kyverno/v1.ResourceFilter alias)+(Appears on: +ExcludeResources, +MatchResources) +
++
ResourceFilters is a slice of ResourceFilter
+@@ -1439,16 +2134,16 @@ and admission review request information like the name or role.
preconditions
-
-[]Condition
-
+k8s.io/apiextensions-apiserver/pkg/apis/apiextensions.JSON
Conditions enable variable-based conditional rule execution. This is useful for -finer control of when an rule is applied. A condition can reference object data -using JMESPath notation.
+Preconditions are used to determine if a policy rule should be applied by evaluating a
+set of conditions. The declaration can contain nested any or all statements. A direct list
+of conditions (without any or all statements is supported for backwards compatibility but
+will be deprecated in the next major release.
+See: https://kyverno.io/docs/writing-policies/preconditions/
Generation is used to create new resources.
-(Appears on: -PolicyStatus) -
--
RuleStats provides statistics for an individual rule within a policy.
- -| Field | -Description | -
|---|---|
-ruleName
+verifyImages
-string
-
- |
-
- Name is the rule name. - |
-
-averageExecutionTime
-
-string
+
+[]ImageVerification
+
|
(Optional)
- ExecutionTime is the average time taken to execute this rule. - |
-
-violationCount
-
-int
-
- |
-
-(Optional)
- ViolationCount is the total count of policy failure results for this rule. - |
-
-failedCount
-
-int
-
- |
-
-(Optional)
- FailedCount is the total count of policy error results for this rule. - |
-
-appliedCount
-
-int
-
- |
-
-(Optional)
- AppliedCount is the total number of times this rule was applied. - |
-
-resourcesBlockedCount
-
-int
-
- |
-
-(Optional)
- ResourcesBlockedCount is the total count of admission review requests that were blocked by this rule. - |
-
-resourcesMutatedCount
-
-int
-
- |
-
-(Optional)
- ResourcesMutatedCount is the total count of resources that were mutated by this rule. - |
-
-resourcesGeneratedCount
-
-int
-
- |
-
-(Optional)
- ResourcesGeneratedCount is the total count of resources that were generated by this rule. +VerifyImages is used to verify image signatures and mutate them to add a digest |
+failurePolicy
+
+
+FailurePolicyType
+
+
+ |
+
+(Optional)
+ FailurePolicy defines how unrecognized errors from the admission endpoint are handled. +Rules within the same policy share the same failure behavior. +Allowed values are Ignore or Fail. Defaults to Fail. + |
+
validationFailureAction
string
@@ -1671,6 +2281,32 @@ Optional. Default value is “true”. The value must be set to “f
uses variables that are only available in the admission review request (e.g. user name).
|
|
+schemaValidation
+
+bool
+
+ |
+
+(Optional)
+ SchemaValidation skips policy validation checks. +Optional. The default value is set to “true”, it must be set to “false” to disable the validation checks. + |
+
+webhookTimeoutSeconds
+
+int32
+
+ |
+
+ WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. +After the configured time expires, the admission request may fail, or may simply ignore the policy results, +based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. + |
+
(Appears on: ExcludeResources, -MatchResources) +MatchResources, +ResourceFilter)
UserInfo contains information about the user performing the operation.
@@ -1764,6 +2401,20 @@ stringforeach
+
+
+[]ForEachValidation
+
+
+ForEach applies policy rule changes to nested elements.
+pattern
k8s.io/apiextensions-apiserver/pkg/apis/apiextensions.JSON
@@ -1798,7 +2449,7 @@ Deny
Deny defines conditions to fail the validation rule.
+Deny defines conditions used to pass or fail a validation rule.
Specifies violated rule name.
+Name specifies violated rule name.
Specifies violated rule type.
+Type specifies violated rule type.
Specifies violation message.
+Message specifies violation message.
check
+status
+
+string
+
+Status shows the rule response status
++
Package v1alpha1 contains API Schema definitions for the policy v1alpha1 API group
+ +Resource Types: ++
ClusterReportChangeRequest is the Schema for the ClusterReportChangeRequests API
+ +| Field | +Description | +
|---|---|
+metadata
+
+
+Kubernetes meta/v1.ObjectMeta
+
+
+ |
+
+Refer to the Kubernetes API documentation for the fields of the
+metadata field.
+ |
+
+scope
+
+
+Kubernetes core/v1.ObjectReference
+
+
+ |
+
+(Optional)
+ Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) + |
+
+scopeSelector
+
+
+Kubernetes meta/v1.LabelSelector
+
+
+ |
+
+(Optional)
+ ScopeSelector is an optional selector for multiple scopes (e.g. Pods). +Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. + |
+
+summary
+
+
+PolicyReportSummary
+
+
+ |
+
+(Optional)
+ PolicyReportSummary provides a summary of results + |
+
+results
+
+
+[]PolicyReportResult
+
+
+ |
+
+(Optional)
+ PolicyReportResult provides result details + |
+
+
ReportChangeRequest is the Schema for the ReportChangeRequests API
+ +| Field | +Description | +
|---|---|
+metadata
+
+
+Kubernetes meta/v1.ObjectMeta
+
+
+ |
+
+Refer to the Kubernetes API documentation for the fields of the
+metadata field.
+ |
+
+scope
+
+
+Kubernetes core/v1.ObjectReference
+
+
+ |
+
+(Optional)
+ Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) + |
+
+scopeSelector
+
+
+Kubernetes meta/v1.LabelSelector
+
+
+ |
+
+(Optional)
+ ScopeSelector is an optional selector for multiple scopes (e.g. Pods). +Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. + |
+
+summary
+
+
+PolicyReportSummary
+
+
+ |
+
+(Optional)
+ PolicyReportSummary provides a summary of results + |
+
+results
+
+
+[]PolicyReportResult
+
+
+ |
+
+(Optional)
+ PolicyReportResult provides result details + |
+
+
Package v1alpha2 contains API Schema definitions for the policy v1alpha2 API group
+ +Resource Types: ++
ClusterReportChangeRequest is the Schema for the ClusterReportChangeRequests API
+ +| Field | +Description | +
|---|---|
+metadata
+
+
+Kubernetes meta/v1.ObjectMeta
+
+
+ |
+
+Refer to the Kubernetes API documentation for the fields of the
+metadata field.
+ |
+
+scope
+
+
+Kubernetes core/v1.ObjectReference
+
+
+ |
+
+(Optional)
+ Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) + |
+
+scopeSelector
+
+
+Kubernetes meta/v1.LabelSelector
+
+
+ |
+
+(Optional)
+ ScopeSelector is an optional selector for multiple scopes (e.g. Pods). +Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. + |
+
+summary
+
+
+PolicyReportSummary
+
+
+ |
+
+(Optional)
+ PolicyReportSummary provides a summary of results + |
+
+results
+
+
+[]PolicyReportResult
+
+
+ |
+
+(Optional)
+ PolicyReportResult provides result details + |
+
+
ReportChangeRequest is the Schema for the ReportChangeRequests API
+ +| Field | +Description | +
|---|---|
+metadata
+
+
+Kubernetes meta/v1.ObjectMeta
+
+
+ |
+
+Refer to the Kubernetes API documentation for the fields of the
+metadata field.
+ |
+
+scope
+
+
+Kubernetes core/v1.ObjectReference
+
+
+ |
+
+(Optional)
+ Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) + |
+
+scopeSelector
+
+
+Kubernetes meta/v1.LabelSelector
+
+
+ |
+
+(Optional)
+ ScopeSelector is an optional selector for multiple scopes (e.g. Pods). +Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. + |
+
+summary
+
+
+PolicyReportSummary
+
+
+ |
+
+(Optional)
+ PolicyReportSummary provides a summary of results + |
+
+results
+
+
+[]PolicyReportResult
+
+
+ |
+
+(Optional)
+ PolicyReportResult provides result details + |
+
+
Package v1alpha1 contains API Schema definitions for the policy v1alpha1 API group
+ +Resource Types: + ++
ClusterPolicyReport is the Schema for the clusterpolicyreports API
+ +| Field | +Description | +
|---|---|
+apiVersion
+string |
+
+
+wgpolicyk8s.io/v1alpha1
+
+ |
+
+kind
+string
+ |
+ClusterPolicyReport |
+
+metadata
+
+
+Kubernetes meta/v1.ObjectMeta
+
+
+ |
+
+Refer to the Kubernetes API documentation for the fields of the
+metadata field.
+ |
+
+scope
+
+
+Kubernetes core/v1.ObjectReference
+
+
+ |
+
+(Optional)
+ Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) + |
+
+scopeSelector
+
+
+Kubernetes meta/v1.LabelSelector
+
+
+ |
+
+(Optional)
+ ScopeSelector is an optional selector for multiple scopes (e.g. Pods). +Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. + |
+
+summary
+
+
+PolicyReportSummary
+
+
+ |
+
+(Optional)
+ PolicyReportSummary provides a summary of results + |
+
+results
+
+
+[]PolicyReportResult
+
+
+ |
+
+(Optional)
+ PolicyReportResult provides result details + |
+
+
PolicyReport is the Schema for the policyreports API
+ +| Field | +Description | +
|---|---|
+apiVersion
+string |
+
+
+wgpolicyk8s.io/v1alpha1
+
+ |
+
+kind
+string
+ |
+PolicyReport |
+
+metadata
+
+
+Kubernetes meta/v1.ObjectMeta
+
+
+ |
+
+Refer to the Kubernetes API documentation for the fields of the
+metadata field.
+ |
+
+scope
+
+
+Kubernetes core/v1.ObjectReference
+
+
+ |
+
+(Optional)
+ Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) + |
+
+scopeSelector
+
+
+Kubernetes meta/v1.LabelSelector
+
+
+ |
+
+(Optional)
+ ScopeSelector is an optional selector for multiple scopes (e.g. Pods). +Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. + |
+
+summary
+
+
+PolicyReportSummary
+
+
+ |
+
+(Optional)
+ PolicyReportSummary provides a summary of results + |
+
+results
+
+
+[]PolicyReportResult
+
+
+ |
+
+(Optional)
+ PolicyReportResult provides result details + |
+
+(Appears on: +ClusterPolicyReport, +PolicyReport, +ClusterReportChangeRequest, +ReportChangeRequest) +
++
PolicyReportResult provides the result for an individual policy
+ +| Field | +Description | +
|---|---|
+policy
+
+string
+
+ |
+
+ Policy is the name of the policy + |
+
+rule
string
|
(Optional)
+ Rule is the name of the policy rule + |
+
+resources
+
+
+[]Kubernetes core/v1.ObjectReference
+
+
+ |
+
+(Optional)
+ Resources is an optional reference to the resource checked by the policy and rule + |
+
+resourceSelector
+
+
+Kubernetes meta/v1.LabelSelector
+
+
+ |
+
+(Optional)
+ ResourceSelector is an optional selector for policy results that apply to multiple resources. +For example, a policy result may apply to all pods that match a label. +Either a Resource or a ResourceSelector can be specified. If neither are provided, the +result is assumed to be for the policy report scope. + |
+
+message
+
+string
+
+ |
+
+ Message is a short user friendly description of the policy rule + |
+
+status
+
+
+PolicyStatus
+
+
+ |
+
+ Status indicates the result of the policy rule check + |
+
+scored
+
+bool
+
+ |
+
+ Scored indicates if this policy rule is scored + |
+
+data
+
+map[string]string
+
+ |
+
+ Data provides additional information for the policy rule + |
+
+category
+
+string
+
+ |
+
+(Optional)
+ Category indicates policy category + |
+
+severity
+
+
+PolicySeverity
+
+
+ |
+
+(Optional)
+ Severity indicates policy severity |
+(Appears on: +ClusterPolicyReport, +PolicyReport, +ClusterReportChangeRequest, +ReportChangeRequest) +
++
PolicyReportSummary provides a status count summary
+ +| Field | +Description | +
|---|---|
+pass
+
+int
+
+ |
+
+(Optional)
+ Pass provides the count of policies whose requirements were met + |
+
+fail
+
+int
+
+ |
+
+(Optional)
+ Fail provides the count of policies whose requirements were not met + |
+
+warn
+
+int
+
+ |
+
+(Optional)
+ Warn provides the count of unscored policies whose requirements were not met + |
+
+error
+
+int
+
+ |
+
+(Optional)
+ Error provides the count of policies that could not be evaluated + |
+
+skip
+
+int
+
+ |
+
+(Optional)
+ Skip indicates the count of policies that were not selected for evaluation + |
+
string alias)+(Appears on: +PolicyReportResult) +
++
PolicySeverity has one of the following values: +- high +- low +- medium
+ +string alias)+(Appears on: +PolicyReportResult) +
++
PolicyStatus has one of the following values: +- pass: indicates that the policy requirements are met +- fail: indicates that the policy requirements are not met +- warn: indicates that the policy requirements and not met, and the policy is not scored +- error: indicates that the policy could not be evaluated +- skip: indicates that the policy was not selected based on user inputs or applicability
+ ++
Package v1alpha2 contains API Schema definitions for the policy v1alpha2 API group
+ +Resource Types: + ++
ClusterPolicyReport is the Schema for the clusterpolicyreports API
+ +| Field | +Description | +
|---|---|
+apiVersion
+string |
+
+
+wgpolicyk8s.io/v1alpha2
+
+ |
+
+kind
+string
+ |
+ClusterPolicyReport |
+
+metadata
+
+
+Kubernetes meta/v1.ObjectMeta
+
+
+ |
+
+Refer to the Kubernetes API documentation for the fields of the
+metadata field.
+ |
+
+scope
+
+
+Kubernetes core/v1.ObjectReference
+
+
+ |
+
+(Optional)
+ Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) + |
+
+scopeSelector
+
+
+Kubernetes meta/v1.LabelSelector
+
+
+ |
+
+(Optional)
+ ScopeSelector is an optional selector for multiple scopes (e.g. Pods). +Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. + |
+
+summary
+
+
+PolicyReportSummary
+
+
+ |
+
+(Optional)
+ PolicyReportSummary provides a summary of results + |
+
+results
+
+
+[]PolicyReportResult
+
+
+ |
+
+(Optional)
+ PolicyReportResult provides result details + |
+
+
PolicyReport is the Schema for the policyreports API
+ +| Field | +Description | +
|---|---|
+apiVersion
+string |
+
+
+wgpolicyk8s.io/v1alpha2
+
+ |
+
+kind
+string
+ |
+PolicyReport |
+
+metadata
+
+
+Kubernetes meta/v1.ObjectMeta
+
+
+ |
+
+Refer to the Kubernetes API documentation for the fields of the
+metadata field.
+ |
+
+scope
+
+
+Kubernetes core/v1.ObjectReference
+
+
+ |
+
+(Optional)
+ Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) + |
+
+scopeSelector
+
+
+Kubernetes meta/v1.LabelSelector
+
+
+ |
+
+(Optional)
+ ScopeSelector is an optional selector for multiple scopes (e.g. Pods). +Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. + |
+
+summary
+
+
+PolicyReportSummary
+
+
+ |
+
+(Optional)
+ PolicyReportSummary provides a summary of results + |
+
+results
+
+
+[]PolicyReportResult
+
+
+ |
+
+(Optional)
+ PolicyReportResult provides result details + |
+
+(Appears on: +ClusterPolicyReport, +PolicyReport, +ClusterReportChangeRequest, +ReportChangeRequest) +
++
PolicyReportResult provides the result for an individual policy
+ +| Field | +Description | +
|---|---|
+source
+
+string
+
+ |
+
+(Optional)
+ Source is an identifier for the policy engine that manages this report + |
+
+policy
+
+string
+
+ |
+
+ Policy is the name of the policy + |
+
+rule
+
+string
+
+ |
+
+(Optional)
+ Rule is the name of the policy rule + |
+
+resources
+
+
+[]Kubernetes core/v1.ObjectReference
+
+
+ |
+
+(Optional)
+ Resources is an optional reference to the resource checked by the policy and rule + |
+
+resourceSelector
+
+
+Kubernetes meta/v1.LabelSelector
+
+
+ |
+
+(Optional)
+ ResourceSelector is an optional selector for policy results that apply to multiple resources. +For example, a policy result may apply to all pods that match a label. +Either a Resource or a ResourceSelector can be specified. If neither are provided, the +result is assumed to be for the policy report scope. + |
+
+message
+
+string
+
+ |
+
+ Message is a short user friendly description of the policy rule + |
+
+result
+
+
+PolicyResult
+
+
+ |
+
+ Result indicates the outcome of the policy rule execution + |
+
+scored
+
+bool
+
+ |
+
+ Scored indicates if this policy rule is scored + |
+
+properties
+
+map[string]string
+
+ |
+
+ Properties provides additional information for the policy rule + |
+
+timestamp
+
+
+Kubernetes meta/v1.Timestamp
+
+
+ |
+
+ Timestamp indicates the time the result was found + |
+
+category
+
+string
+
+ |
+
+(Optional)
+ Category indicates policy category + |
+
+severity
+
+
+PolicySeverity
+
+
+ |
+
+(Optional)
+ Severity indicates policy severity + |
+
+(Appears on: +ClusterPolicyReport, +PolicyReport, +ClusterReportChangeRequest, +ReportChangeRequest) +
++
PolicyReportSummary provides a status count summary
+ +| Field | +Description | +
|---|---|
+pass
+
+int
+
+ |
+
+(Optional)
+ Pass provides the count of policies whose requirements were met + |
+
+fail
+
+int
+
+ |
+
+(Optional)
+ Fail provides the count of policies whose requirements were not met + |
+
+warn
+
+int
+
+ |
+
+(Optional)
+ Warn provides the count of unscored policies whose requirements were not met + |
+
+error
+
+int
+
+ |
+
+(Optional)
+ Error provides the count of policies that could not be evaluated + |
+
+skip
+
+int
+
+ |
+
+(Optional)
+ Skip indicates the count of policies that were not selected for evaluation + |
+
string alias)+(Appears on: +PolicyReportResult) +
++
PolicyResult has one of the following values: +- pass: indicates that the policy requirements are met +- fail: indicates that the policy requirements are not met +- warn: indicates that the policy requirements and not met, and the policy is not scored +- error: indicates that the policy could not be evaluated +- skip: indicates that the policy was not selected based on user inputs or applicability
+ +string alias)+(Appears on: +PolicyReportResult) +
++
PolicySeverity has one of the following values: +- high +- low +- medium
+