Kyverno is a policy engine designed for Kubernetes. It can validate, mutate, and generate configurations using admission controls and background scans. Kyverno policies are Kubernetes resources and do not require learning a new language. Kyverno is designed to work nicely with tools you already use like kubectl, kustomize, and Git. diff --git a/docs/README.md b/docs/README.md new file mode 100644 index 0000000000..52e147822b --- /dev/null +++ b/docs/README.md @@ -0,0 +1,27 @@ +# docs + +This folder containers the generated CRD documentation in HTML format. It is referenced from the Kyverno website (https://kyverno.io/docs/crds/). + +## Building + +Follow these steps to generate the docs: + +1. Install [gen-crd-api-reference-docs](https://github.com/ahmetb/gen-crd-api-reference-docs) + +```shell +clone https://github.com/ahmetb/gen-crd-api-reference-docs +cd gen-crd-api-reference-docs +go build +mv gen-crd-api-reference-docs $GOPATH/bin +``` + +2. Generate the HTML + +```shell +gen-crd-api-reference-docs -api-dir ./pkg/api/kyverno/v1 \ + -config docs/config.json \ + -template-dir docs/template/ \ + -out-file docs/crd/v1/index.html +``` + +3. If needed, update the [docs site](https://kyverno.io/docs/crds/). \ No newline at end of file diff --git a/documentation/api/config.json b/docs/config.json similarity index 100% rename from documentation/api/config.json rename to docs/config.json diff --git a/docs/crd/v1/index.html b/docs/crd/v1/index.html new file mode 100644 index 0000000000..0ff69db9f3 --- /dev/null +++ b/docs/crd/v1/index.html @@ -0,0 +1,1873 @@ + + +
+ + + ++(Appears on: +Generation) +
++
CloneFrom provides the location of the source resource used to generate target resources. +The resource kind is derived from the match criteria.
+ +| Field | +Description | +
|---|---|
+namespace
+
+string
+
+ |
+
+(Optional)
+ Namespace specifies source resource namespace. + |
+
+name
+
+string
+
+ |
+
+ Name specifies name of the resource. + |
+
+
ClusterPolicy declares validation, mutation, and generation behaviors for matching resources.
+ +| Field | +Description | +||||||
|---|---|---|---|---|---|---|---|
+metadata
+
+
+Kubernetes meta/v1.ObjectMeta
+
+
+ |
+
+Refer to the Kubernetes API documentation for the fields of the
+metadata field.
+ |
+||||||
+spec
+
+
+Spec
+
+
+ |
+
+ Spec declares policy behaviors. ++ +
|
+||||||
+status
+
+
+PolicyStatus
+
+
+ |
+
+(Optional)
+ Status contains policy runtime data. + |
+
+
Condition defines variable-based conditional criteria for rule execution.
+ +| Field | +Description | +
|---|---|
+key
+
+k8s.io/apiextensions-apiserver/pkg/apis/apiextensions.JSON
+
+ |
+
+ Key is the context entry (using JMESPath) for conditional rule evaluation. + |
+
+operator
+
+
+ConditionOperator
+
+
+ |
+
+ Operator is the operation to perform. + |
+
+value
+
+k8s.io/apiextensions-apiserver/pkg/apis/apiextensions.JSON
+
+ |
+
+(Optional)
+ Value is the conditional value, or set of values. The values can be fixed set +or can be variables declared using using JMESPath. + |
+
string alias)+(Appears on: +Condition) +
++
ConditionOperator is the operation performed on condition key and value.
+ ++(Appears on: +ContextEntry) +
++
ConfigMapReference refers to a ConfigMap
+ +| Field | +Description | +
|---|---|
+name
+
+string
+
+ |
++ | +
+namespace
+
+string
+
+ |
++ | +
+(Appears on: +Rule) +
++
ContextEntry adds variables and data sources to a rule Context
+ +| Field | +Description | +
|---|---|
+name
+
+string
+
+ |
++ | +
+configMap
+
+
+ConfigMapReference
+
+
+ |
++ | +
+(Appears on: +Validation) +
++
Deny specifies a list of conditions. The validation rule fails, if any Condition +evaluates to “false”.
+ +| Field | +Description | +
|---|---|
+conditions
+
+
+[]Condition
+
+
+ |
+
+ Specifies set of condition to deny. + |
+
+(Appears on: +Rule) +
++
ExcludeResources specifies resource and admission review request data for +which a policy rule is not applicable.
+ +| Field | +Description | +
|---|---|
+UserInfo
+
+
+UserInfo
+
+
+ |
+
+(Optional)
+ UserInfo contains information about the user performing the operation. + |
+
+resources
+
+
+ResourceDescription
+
+
+ |
+
+(Optional)
+ ResourceDescription contains information about the resource being created or modified. + |
+
+
GenerateRequest is a request to process generate rule.
+ +| Field | +Description | +||||||
|---|---|---|---|---|---|---|---|
+metadata
+
+
+Kubernetes meta/v1.ObjectMeta
+
+
+ |
+
+Refer to the Kubernetes API documentation for the fields of the
+metadata field.
+ |
+||||||
+spec
+
+
+GenerateRequestSpec
+
+
+ |
+
+ Spec is the information to identify the generate request. ++ +
|
+||||||
+status
+
+
+GenerateRequestStatus
+
+
+ |
+
+(Optional)
+ Status contains statistics related to generate request. + |
+
+(Appears on: +GenerateRequestSpec) +
++
GenerateRequestContext stores the context to be shared.
+ +| Field | +Description | +
|---|---|
+userInfo
+
+
+RequestInfo
+
+
+ |
++(Optional) + | +
+(Appears on: +GenerateRequest) +
++
GenerateRequestSpec stores the request specification.
+ +| Field | +Description | +
|---|---|
+policy
+
+string
+
+ |
+
+ Specifies the name of the policy. + |
+
+resource
+
+
+ResourceSpec
+
+
+ |
+
+ ResourceSpec is the information to identify the generate request. + |
+
+context
+
+
+GenerateRequestContext
+
+
+ |
+
+ Context … + |
+
string alias)+(Appears on: +GenerateRequestStatus) +
++
GenerateRequestState defines the state of request.
+ ++(Appears on: +GenerateRequest) +
++
GenerateRequestStatus stores the status of generated request.
+ +| Field | +Description | +
|---|---|
+state
+
+
+GenerateRequestState
+
+
+ |
+
+ State represents state of the generate request. + |
+
+message
+
+string
+
+ |
+
+(Optional)
+ Specifies request status message. + |
+
+generatedResources
+
+
+[]ResourceSpec
+
+
+ |
+
+ This will track the resources that are generated by the generate Policy. +Will be used during clean up resources. + |
+
+(Appears on: +Rule) +
++
Generation defines how new resources should be created and managed.
+ +| Field | +Description | +
|---|---|
+ResourceSpec
+
+
+ResourceSpec
+
+
+ |
+
+ ResourceSpec contains information to select the resource. + |
+
+synchronize
+
+bool
+
+ |
+
+(Optional)
+ Synchronize controls if generated resources should be kept in-sync with their source resource. +If Synchronize is set to “true” changes to generated resources will be overwritten with resource +data from Data or the resource specified in the Clone declaration. +Optional. Defaults to “false” if not specified. + |
+
+data
+
+k8s.io/apiextensions-apiserver/pkg/apis/apiextensions.JSON
+
+ |
+
+(Optional)
+ Data provides the resource declaration used to populate each generated resource. +At most one of Data or Clone must be specified. If neither are provided, the generated +resource will be created with default data only. + |
+
+clone
+
+
+CloneFrom
+
+
+ |
+
+(Optional)
+ Clone specifies the source resource used to populate each generated resource. +At most one of Data or Clone can be specified. If neither are provided, the generated +resource will be created with default data only. + |
+
+(Appears on: +Rule) +
++
MatchResources is used to specify resource and admission review request data for +which a policy rule is applicable.
+ +| Field | +Description | +
|---|---|
+UserInfo
+
+
+UserInfo
+
+
+ |
+
+(Optional)
+ UserInfo contains information about the user performing the operation. + |
+
+resources
+
+
+ResourceDescription
+
+
+ |
+
+ ResourceDescription contains information about the resource being created or modified. + |
+
+(Appears on: +Rule) +
++
Mutation defines how resource are modified.
+ +| Field | +Description | +
|---|---|
+overlay
+
+k8s.io/apiextensions-apiserver/pkg/apis/apiextensions.JSON
+
+ |
+
+(Optional)
+ Overlay specifies an overlay pattern to modify resources. +DEPRECATED. Use PatchStrategicMerge instead. Scheduled for +removal in release 1.5+. + |
+
+patches
+
+
+[]Patch
+
+
+ |
+
+(Optional)
+ Patches specifies a RFC 6902 JSON Patch to modify resources. +DEPRECATED. Use PatchesJSON6902 instead. Scheduled for +removal in release 1.5+. + |
+
+patchStrategicMerge
+
+k8s.io/apiextensions-apiserver/pkg/apis/apiextensions.JSON
+
+ |
+
+(Optional)
+ PatchStrategicMerge is a strategic merge patch used to modify resources. +See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ +and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + |
+
+patchesJson6902
+
+string
+
+ |
+
+(Optional)
+ PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. +See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + |
+
+(Appears on: +Mutation) +
++
Patch is a RFC 6902 JSON Patch. +See: https://tools.ietf.org/html/rfc6902
+ +| Field | +Description | +
|---|---|
+path
+
+string
+
+ |
+
+ Path specifies path of the resource. + |
+
+op
+
+string
+
+ |
+
+ Operation specifies operations supported by JSON Patch. +i.e:- add, replace and delete. + |
+
+value
+
+k8s.io/apiextensions-apiserver/pkg/apis/apiextensions.JSON
+
+ |
+
+(Optional)
+ Value specifies the value to be applied. + |
+
+
Policy declares validation, mutation, and generation behaviors for matching resources. +See: https://kyverno.io/docs/writing-policies/ for more information.
+ +| Field | +Description | +||||||
|---|---|---|---|---|---|---|---|
+metadata
+
+
+Kubernetes meta/v1.ObjectMeta
+
+
+ |
+
+Refer to the Kubernetes API documentation for the fields of the
+metadata field.
+ |
+||||||
+spec
+
+
+Spec
+
+
+ |
+
+ Spec defines policy behaviors and contains one or rules. ++ +
|
+||||||
+status
+
+
+PolicyStatus
+
+
+ |
+
+(Optional)
+ Status contains policy runtime information. + |
+
+(Appears on: +ClusterPolicy, +Policy) +
++
PolicyStatus mostly contains runtime information related to policy execution.
+ +| Field | +Description | +
|---|---|
+averageExecutionTime
+
+string
+
+ |
+
+(Optional)
+ AvgExecutionTime is the average time taken to process the policy rules on a resource. + |
+
+violationCount
+
+int
+
+ |
+
+(Optional)
+ ViolationCount is the total count of policy failure results for this policy. + |
+
+rulesFailedCount
+
+int
+
+ |
+
+(Optional)
+ RulesFailedCount is the total count of policy execution errors for this policy. + |
+
+rulesAppliedCount
+
+int
+
+ |
+
+(Optional)
+ RulesAppliedCount is the total number of times this policy was applied. + |
+
+resourcesBlockedCount
+
+int
+
+ |
+
+(Optional)
+ ResourcesBlockedCount is the total count of admission review requests that were blocked by this policy. + |
+
+resourcesMutatedCount
+
+int
+
+ |
+
+(Optional)
+ ResourcesMutatedCount is the total count of resources that were mutated by this policy. + |
+
+resourcesGeneratedCount
+
+int
+
+ |
+
+(Optional)
+ ResourcesGeneratedCount is the total count of resources that were generated by this policy. + |
+
+ruleStatus
+
+
+[]RuleStats
+
+
+ |
+
+(Optional)
+ Rules provides per rule statistics + |
+
+(Appears on: +GenerateRequestContext) +
++
RequestInfo contains permission info carried in an admission request.
+ +| Field | +Description | +
|---|---|
+roles
+
+[]string
+
+ |
+
+(Optional)
+ Roles is a list of possible role send the request. + |
+
+clusterRoles
+
+[]string
+
+ |
+
+(Optional)
+ ClusterRoles is a list of possible clusterRoles send the request. + |
+
+userInfo
+
+
+Kubernetes authentication/v1.UserInfo
+
+
+ |
+
+(Optional)
+ UserInfo is the userInfo carried in the admission request. + |
+
+(Appears on: +ExcludeResources, +MatchResources) +
++
ResourceDescription contains criteria used to match resources.
+ +| Field | +Description | +
|---|---|
+kinds
+
+[]string
+
+ |
+
+(Optional)
+ Kinds is a list of resource kinds. + |
+
+name
+
+string
+
+ |
+
+(Optional)
+ Name is the name of the resource. The name supports wildcard characters +“*” (matches zero or many characters) and “?” (at least one character). + |
+
+namespaces
+
+[]string
+
+ |
+
+(Optional)
+ Namespaces is a list of namespaces names. Each name supports wildcard characters +“*” (matches zero or many characters) and “?” (at least one character). + |
+
+annotations
+
+map[string]string
+
+ |
+
+(Optional)
+ Annotations is a map of annotations (key-value pairs of type string). Annotation keys +and values support the wildcard characters “*” (matches zero or many characters) and +“?” (matches at least one character). + |
+
+selector
+
+
+Kubernetes meta/v1.LabelSelector
+
+
+ |
+
+(Optional)
+ Selector is a label selector. Label keys and values in |
+
+(Appears on: +GenerateRequestSpec, +GenerateRequestStatus, +Generation) +
++
ResourceSpec contains information to identify a resource.
+ +| Field | +Description | +
|---|---|
+apiVersion
+
+string
+
+ |
+
+(Optional)
+ APIVersion specifies resource apiVersion. + |
+
+kind
+
+string
+
+ |
+
+ Kind specifies resource kind. + |
+
+namespace
+
+string
+
+ |
+
+(Optional)
+ Namespace specifies resource namespace. + |
+
+name
+
+string
+
+ |
+
+ Name specifies the resource name. + |
+
+(Appears on: +Spec) +
++
Rule defines a validation, mutation, or generation control for matching resources. +Each rules contains a match declaration to select resources, and an optional exclude +declaration to specify which resources to exclude.
+ +| Field | +Description | +
|---|---|
+name
+
+string
+
+ |
+
+ Name is a label to identify the rule, It must be unique within the policy. + |
+
+context
+
+
+[]ContextEntry
+
+
+ |
+
+(Optional)
+ Context defines variables and data sources that can be used during rule execution. + |
+
+match
+
+
+MatchResources
+
+
+ |
+
+ MatchResources defines when this policy rule should be applied. The match +criteria can include resource information (e.g. kind, name, namespace, labels) +and admission review request information like the user name or role. +At least one kind is required. + |
+
+exclude
+
+
+ExcludeResources
+
+
+ |
+
+(Optional)
+ ExcludeResources defines when this policy rule should not be applied. The exclude +criteria can include resource information (e.g. kind, name, namespace, labels) +and admission review request information like the name or role. + |
+
+preconditions
+
+
+[]Condition
+
+
+ |
+
+(Optional)
+ Conditions enable variable-based conditional rule execution. This is useful for +finer control of when an rule is applied. A condition can reference object data +using JMESPath notation. + |
+
+mutate
+
+
+Mutation
+
+
+ |
+
+(Optional)
+ Mutation is used to modify matching resources. + |
+
+validate
+
+
+Validation
+
+
+ |
+
+(Optional)
+ Validation is used to validate matching resources. + |
+
+generate
+
+
+Generation
+
+
+ |
+
+(Optional)
+ Generation is used to create new resources. + |
+
+(Appears on: +PolicyStatus) +
++
RuleStats provides statistics for an individual rule within a policy.
+ +| Field | +Description | +
|---|---|
+ruleName
+
+string
+
+ |
+
+ Name is the rule name. + |
+
+averageExecutionTime
+
+string
+
+ |
+
+(Optional)
+ ExecutionTime is the average time taken to execute this rule. + |
+
+violationCount
+
+int
+
+ |
+
+(Optional)
+ ViolationCount is the total count of policy failure results for this rule. + |
+
+failedCount
+
+int
+
+ |
+
+(Optional)
+ FailedCount is the total count of policy error results for this rule. + |
+
+appliedCount
+
+int
+
+ |
+
+(Optional)
+ AppliedCount is the total number of times this rule was applied. + |
+
+resourcesBlockedCount
+
+int
+
+ |
+
+(Optional)
+ ResourcesBlockedCount is the total count of admission review requests that were blocked by this rule. + |
+
+resourcesMutatedCount
+
+int
+
+ |
+
+(Optional)
+ ResourcesMutatedCount is the total count of resources that were mutated by this rule. + |
+
+resourcesGeneratedCount
+
+int
+
+ |
+
+(Optional)
+ ResourcesGeneratedCount is the total count of resources that were generated by this rule. + |
+
+(Appears on: +ClusterPolicy, +Policy) +
++
Spec contains a list of Rule instances and other policy controls.
+ +| Field | +Description | +
|---|---|
+rules
+
+
+[]Rule
+
+
+ |
+
+ Rules is a list of Rule instances. A Policy contains multiple rules and +each rule can validate, mutate, or generate resources. + |
+
+validationFailureAction
+
+string
+
+ |
+
+(Optional)
+ ValidationFailureAction controls if a validation policy rule failure should disallow +the admission review request (enforce), or allow (audit) the admission review request +and report an error in a policy report. Optional. The default value is “audit”. + |
+
+background
+
+bool
+
+ |
+
+(Optional)
+ Background controls if rules are applied to existing resources during a background scan. +Optional. Default value is “true”. The value must be set to “false” if the policy rule +uses variables that are only available in the admission review request (e.g. user name). + |
+
+(Appears on: +ExcludeResources, +MatchResources) +
++
UserInfo contains information about the user performing the operation.
+ +| Field | +Description | +
|---|---|
+roles
+
+[]string
+
+ |
+
+(Optional)
+ Roles is the list of namespaced role names for the user. + |
+
+clusterRoles
+
+[]string
+
+ |
+
+(Optional)
+ ClusterRoles is the list of cluster-wide role names for the user. + |
+
+subjects
+
+
+[]Kubernetes rbac/v1.Subject
+
+
+ |
+
+(Optional)
+ Subjects is the list of subject names like users, user groups, and service accounts. + |
+
+(Appears on: +Rule) +
++
Validation defines checks to be performed on matching resources.
+ +| Field | +Description | +
|---|---|
+message
+
+string
+
+ |
+
+(Optional)
+ Message specifies a custom message to be displayed on failure. + |
+
+pattern
+
+k8s.io/apiextensions-apiserver/pkg/apis/apiextensions.JSON
+
+ |
+
+(Optional)
+ Pattern specifies an overlay-style pattern used to check resources. + |
+
+anyPattern
+
+k8s.io/apiextensions-apiserver/pkg/apis/apiextensions.JSON
+
+ |
+
+(Optional)
+ AnyPattern specifies list of validation patterns. At least one of the patterns +must be satisfied for the validation rule to succeed. + |
+
+deny
+
+
+Deny
+
+
+ |
+
+(Optional)
+ Deny defines conditions to fail the validation rule. + |
+
+
ViolatedRule stores the information regarding the rule.
+ +| Field | +Description | +
|---|---|
+name
+
+string
+
+ |
+
+ Specifies violated rule name. + |
+
+type
+
+string
+
+ |
+
+ Specifies violated rule type. + |
+
+message
+
+string
+
+ |
+
+(Optional)
+ Specifies violation message. + |
+
+check
+
+string
+
+ |
++(Optional) + | +